DLL Serach Oreder Hijacking (mitre : T1574.001)

index=*
((((EventCode="4688" OR EventCode="1") AND  ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) AND (CommandLine="*00000000*" OR CommandLine="*0*") AND CommandLine="*SafeDllSearchMode*")
OR ((EventCode="4657") ObjectValueName="SafeDllSearchMode" value="0"))
OR ((EventCode="13") EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)"))
| fields EventCode,EventType,TargetObject,Details,CommandLine,ObjectValueName,value
Share This:
Tagged:

Leave A Comment?