sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Added detection for .pri files

Open goosvorbook opened this issue 4 years ago • 2 comments

"FoggyWeb is stored in the encrypted file Windows.Data.TimeZones.zh-PH.pri, while the malicious file version.dll can be described as its loader."

goosvorbook avatar Sep 29 '21 07:09 goosvorbook

I don't think that this works. The .pri doesn't get loaded as a DLL but gets opened by the malicious DLL. I don't think it would appear as an ImageLoad event.

Neo23x0 avatar Sep 29 '21 18:09 Neo23x0

I don't think that this works. The .pri doesn't get loaded as a DLL but gets opened by the malicious DLL. I don't think it would appear as an ImageLoad event.

In the ref

After compromising an AD FS server, NOBELIUM was observed dropping the following two files on the system (administrative privileges are required to write these files to the folders listed below): %WinDir%\ADFS\version.dll %WinDir%\SystemResources\Windows.Data.TimeZones\pris\Windows.Data.TimeZones.zh-PH.pri

So it is a file_event rule and the sysmon directive to write if need

frack113 avatar Sep 29 '21 18:09 frack113