Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threatmediumtest

DLL Names Used By SVR For GraphicalProton Backdoor

Hunts known SVR-specific DLL names.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
CISACreated Mon Dec 18e64c8ef3-9f98-40c8-b71e-96110991cb4c2023
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic1 selector
detection:
    selection:
        ImageLoaded|endswith:
            - '\AclNumsInvertHost.dll'
            - '\AddressResourcesSpec.dll'
            - '\BlendMonitorStringBuild.dll'
            - '\ChildPaletteConnected.dll'
            - '\DeregisterSeekUsers.dll'
            - '\HandleFrequencyAll.dll'
            - '\HardSwapColor.dll'
            - '\LengthInMemoryActivate.dll'
            - '\ModeBitmapNumericAnimate.dll'
            - '\ModeFolderSignMove.dll'
            - '\ParametersNamesPopup.dll'
            - '\PerformanceCaptionApi.dll'
            - '\ScrollbarHandleGet.dll'
            - '\UnregisterAncestorAppendAuto.dll'
            - '\WowIcmpRemoveReg.dll'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
cisa.gov
MITRE ATT&CK

Other

detection.emerging-threats
Rule Metadata
Rule ID
e64c8ef3-9f98-40c8-b71e-96110991cb4c
Status
test
Level
medium
Type
Emerging Threat
Created
Mon Dec 18
Author
CISA
Path
rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001detection.emerging-threats
View on GitHub