heroui logo

Potential Persistence Via AutodialDLL

Sigma Rules

View Source
Summary
This detection rule monitors changes to the Windows Registry key 'AutodialDLL', which is associated with the loading of custom Dynamic Link Libraries (DLLs) via the Windows Sockets 2 (WinSock2) library. The presence of a custom DLL in this key can indicate malicious persistence mechanisms, which attackers might exploit to maintain access to systems following initial infiltration. The rule targets systems running Windows and aims to identify unauthorized alterations that could suggest an attacker is utilizing this method to establish persistence on the host. Given the critical nature of the registry's role in Windows operations, any unauthorized modification could signify a significant threat requiring immediate investigation.
Categories
  • Windows
Data Sources
  • Windows Registry
Created: 2022-08-10