Detectionhighexperimental
Registry Modification for OCI DLL Redirection
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Sat Jan 24c0e0bdec-3e3d-47aa-9974-05539c999c89windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic4 selectors
detection:
selection_ocilib:
TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'
filter_main_ocilib_file:
# it is looking when oci.dll name is changed to something else like evil.dll
Details|contains: 'oci.dll'
selection_ocilibpath:
TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'
filter_main_ocilibpath:
# it is looking when oci.dll path is changed to something else like 'C:\Windows\Temp\'
Details|contains: '%SystemRoot%\System32\'
condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
References
MITRE ATT&CK
Rule Metadata
Rule ID
c0e0bdec-3e3d-47aa-9974-05539c999c89
Status
experimental
Level
high
Type
Detection
Created
Sat Jan 24
Path
rules/windows/registry/registry_set/registry_set_potential_oci_dll_redirection.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.defense-evasionattack.t1112attack.t1574.001