heroui logo

Windows Server Software Component GACUtil Install to GAC

Splunk Security Content

View Source
Summary
This detection rule identifies instances where GACUtil.exe is used to add a .DLL file to the Global Assembly Cache (GAC) in a Windows environment. It utilizes data from various sources, including Sysmon, Windows Event Logs, and CrowdStrike ProcessRollup2, to track process executions and command-line usage associated with GACUtil. The significance of this rule lies in the potential risks associated with modifications to the GAC, which can allow arbitrary code execution across the operating system if exploited by an attacker. Such actions may lead to privilege escalation and persistent threats. The detection employs a statistical analysis of endpoint data, focusing on specific command patterns. Understanding and monitoring the use of GACUtil is crucial in preventing unauthorized code deployment and maintaining system integrity.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
  • Windows Registry
  • Application Log
  • Command
ATT&CK Techniques
  • T1505
  • T1505.004
Created: 2024-11-13