← Back to Explore
sigmahighHunting
Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Detection Query
selection:
Image|endswith: \arubanetsvc.exe
ImageLoaded|endswith:
- \wtsapi32.dll
- \msvcr100.dll
- \msvcp100.dll
- \dbghelp.dll
- \dbgcore.dll
- \wininet.dll
- \iphlpapi.dll
- \version.dll
- \cryptsp.dll
- \cryptbase.dll
- \wldp.dll
- \profapi.dll
- \sspicli.dll
- \winsta.dll
- \dpapi.dll
filter:
ImageLoaded|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
condition: selection and not filter
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-01-22
Data Sources
windowsImage Load Events
Platforms
windows
Tags
attack.defense-evasionattack.privilege-escalationattack.persistenceattack.t1574.001
Raw Content
title: Aruba Network Service Potential DLL Sideloading
id: 90ae0469-0cee-4509-b67f-e5efcef040f7
status: test
description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
references:
- https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-03-15
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.persistence
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\arubanetsvc.exe'
ImageLoaded|endswith:
- '\wtsapi32.dll'
- '\msvcr100.dll'
- '\msvcp100.dll'
- '\dbghelp.dll'
- '\dbgcore.dll'
- '\wininet.dll'
- '\iphlpapi.dll'
- '\version.dll'
- '\cryptsp.dll'
- '\cryptbase.dll'
- '\wldp.dll'
- '\profapi.dll'
- '\sspicli.dll'
- '\winsta.dll'
- '\dpapi.dll'
filter:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unknown
level: high