mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-28 15:58:24 +01:00
23dd0236ae
* Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com>
37 lines
1.9 KiB
YAML
37 lines
1.9 KiB
YAML
---
|
|
Name: Dllhost.exe
|
|
Description: Used by Windows to DLL Surrogate COM Objects
|
|
Author: 'Nasreddine Bencherchali'
|
|
Created: '2020-11-07'
|
|
Commands:
|
|
- Command: dllhost.exe /Processid:{CLSID}
|
|
Description: Use dllhost.exe to load a registered or hijacked COM Server payload.
|
|
Usecase: Execute a DLL Surrogate COM Object.
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1546.015
|
|
OperatingSystem: Windows 10 (and likely previous versions)
|
|
Full_Path:
|
|
- Path: C:\Windows\System32\dllhost.exe
|
|
- Path: C:\Windows\SysWOW64\dllhost.exe
|
|
Code_Sample:
|
|
- Code:
|
|
Detection:
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_dllhost_net_connections.yml
|
|
- Splunk: https://github.com/splunk/security_content/blob/552b67da9452fb0765e3624b3d6e3ef6c0508bda/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml
|
|
- Splunk: https://github.com/splunk/security_content/blob/961a81d4a5cb5c5febec4894d6d812497171a85c/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml
|
|
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
|
- Elastic: https://github.com/elastic/detection-rules/blob/c457614e37bf7b6db02de84c7fa71a5620783236/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
|
|
- IOC: DotNet CLR libraries loaded into dllhost.exe
|
|
- IOC: DotNet CLR Usage Log - dllhost.exe.log
|
|
- IOC: Suspicious network connectings originating from dllhost.exe
|
|
Resources:
|
|
- Link: https://twitter.com/CyberRaiju/status/1167415118847598594
|
|
- Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
|
|
Acknowledgement:
|
|
- Person: Jai Minton
|
|
Handle: '@CyberRaiju'
|
|
- Person: Nasreddine Bencherchali
|
|
Handle: '@nas_bench'
|
|
---
|