Skip to content

Hide Navigation Hide TOC

Files With System DLL Name In Unsuspected Locations (13c02350-4177-4e45-ac17-cf7ca628ff5e)

Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Cluster A Galaxy A Cluster B Galaxy B Level
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Files With System DLL Name In Unsuspected Locations (13c02350-4177-4e45-ac17-cf7ca628ff5e) Sigma-Rules 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2