Profiling System32 binaries to detect DLL Search Order Hijacking
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 2a4303bf-6a57-4b3f-8d54-bbae45fd29a2 |
| Fingerprint | 2945d8c527345b67 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | July 26, 2022, midnight |
| Added to db | Jan. 18, 2023, 10:12 p.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | What is normal? Profiling System32 binaries to detect DLL Search Order Hijacking |
| Title | Profiling System32 binaries to detect DLL Search Order Hijacking |
| Detected Hints/Tags/Attributes | 42/2/117 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://redcanary.com/blog/system32-binaries/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | File | 2 | shrpubw.exe |
|
| Details | File | 1 | 'shrpubw.exe |
|
| Details | File | 1 | c:\users\research\desktop\data.csv |
|
| Details | File | 50 | alg.exe |
|
| Details | File | 6 | applicationframehost.exe |
|
| Details | File | 1 | applysettingstemplatecatalog.exe |
|
| Details | File | 1 | bde.exe |
|
| Details | File | 3 | bdechangepin.exe |
|
| Details | File | 6 | bdeuisrv.exe |
|
| Details | File | 3 | bdeunlock.exe |
|
| Details | File | 2 | bitlockerwizard.exe |
|
| Details | File | 1 | changepk.exe |
|
| Details | File | 1 | cloudnotifications.exe |
|
| Details | File | 18 | compmgmtlauncher.exe |
|
| Details | File | 27 | computerdefaults.exe |
|
| Details | File | 137 | conhost.exe |
|
| Details | File | 14 | consent.exe |
|
| Details | File | 19 | credwiz.exe |
|
| Details | File | 1 | cscunpintool.exe |
|
| Details | File | 63 | ctfmon.exe |
|
| Details | File | 5 | cttune.exe |
|
| Details | File | 6 | dccw.exe |
|
| Details | File | 4 | ddodiag.exe |
|
| Details | File | 2 | devicepairingwizard.exe |
|
| Details | File | 7 | dfsvc.exe |
|
| Details | File | 6 | dialer.exe |
|
| Details | File | 6 | diskpart.exe |
|
| Details | File | 22 | dism.exe |
|
| Details | File | 3 | dmnotificationbroker.exe |
|
| Details | File | 3 | dpapimig.exe |
|
| Details | File | 2 | dpnsvr.exe |
|
| Details | File | 3 | dvdplay.exe |
|
| Details | File | 3 | dxgiadaptercache.exe |
|
| Details | File | 4 | dxpserver.exe |
|
| Details | File | 2 | easeofaccessdialog.exe |
|
| Details | File | 6 | ehstorauthn.exe |
|
| Details | File | 3 | eudcedit.exe |
|
| Details | File | 34 | eventvwr.exe |
|
| Details | File | 3 | filehistory.exe |
|
| Details | File | 13 | fontdrvhost.exe |
|
| Details | File | 4 | fvenotify.exe |
|
| Details | File | 4 | fveprompt.exe |
|
| Details | File | 3 | gamepanel.exe |
|
| Details | File | 3 | genvalobj.exe |
|
| Details | File | 3 | gfxdownloadwrapper.exe |
|
| Details | File | 6 | hvax64.exe |
|
| Details | File | 7 | hvix64.exe |
|
| Details | File | 1 | ie4ushowie.exe |
|
| Details | File | 2 | isoburn.exe |
|
| Details | File | 10 | licensingui.exe |
|
| Details | File | 3 | logoff.exe |
|
| Details | File | 2 | lpksetup.exe |
|
| Details | File | 4 | mdeserver.exe |
|
| Details | File | 2 | mdmagent.exe |
|
| Details | File | 4 | mdmappinstaller.exe |
|
| Details | File | 5 | mfpmp.exe |
|
| Details | File | 3 | mousocoreworker.exe |
|
| Details | File | 33 | msdt.exe |
|
| Details | File | 12 | msra.exe |
|
| Details | File | 4 | musnotificationux.exe |
|
| Details | File | 5 | netplwiz.exe |
|
| Details | File | 1 | netsupport.exe |
|
| Details | File | 49 | nltest.exe |
|
| Details | File | 1 | node-renamed.exe |
|
| Details | File | 2 | odbcad32.exe |
|
| Details | File | 3 | omadmclient.exe |
|
| Details | File | 5 | optionalfeatures.exe |
|
| Details | File | 1 | passwordonwakesettingflyout.exe |
|
| Details | File | 18 | perfmon.exe |
|
| Details | File | 6 | presentationsettings.exe |
|
| Details | File | 3 | printfilterpipelinesvc.exe |
|
| Details | File | 1 | proximityuxhost.exe |
|
| Details | File | 5 | quickassist.exe |
|
| Details | File | 3 | rasphone.exe |
|
| Details | File | 30 | rdpclip.exe |
|
| Details | File | 1 | rdpinput.exe |
|
| Details | File | 2 | rdpsa.exe |
|
| Details | File | 3 | rdpsauachelper.exe |
|
| Details | File | 3 | rdvghelper.exe |
|
| Details | File | 6 | recdisc.exe |
|
| Details | File | 1 | recoverydrive.exe |
|
| Details | File | 11 | regedt32.exe |
|
| Details | File | 3 | rrinstaller.exe |
|
| Details | File | 17 | rstrui.exe |
|
| Details | File | 1 | rurat.exe |
|
| Details | File | 6 | sdiagnhost.exe |
|
| Details | File | 7 | securityhealthsystray.exe |
|
| Details | File | 2 | sessionmsg.exe |
|
| Details | File | 32 | sihost.exe |
|
| Details | File | 7 | sppextcomobj.exe |
|
| Details | File | 21 | sppsvc.exe |
|
| Details | File | 1 | susp-dir.exe |
|
| Details | File | 3 | sysreseterr.exe |
|
| Details | File | 3 | systempropertiesadvanced.exe |
|
| Details | File | 3 | systempropertiescomputername.exe |
|
| Details | File | 3 | systempropertiesdataexecutionprevention.exe |
|
| Details | File | 4 | systempropertieshardware.exe |
|
| Details | File | 4 | systempropertiesperformance.exe |
|
| Details | File | 3 | systempropertiesprotection.exe |
|
| Details | File | 2 | systempropertiesremote.exe |
|
| Details | File | 6 | systemreset.exe |
|
| Details | File | 1 | systemsettingsremovedevice.exe |
|
| Details | File | 9 | tabcal.exe |
|
| Details | File | 4 | tpminit.exe |
|
| Details | File | 2 | ttdinject.exe |
|
| Details | File | 4 | tttracer.exe |
|
| Details | File | 4 | upfc.exe |
|
| Details | File | 3 | upgraderesultsui.exe |
|
| Details | File | 3 | usocoreworker.exe |
|
| Details | File | 9 | vmcompute.exe |
|
| Details | File | 4 | wfs.exe |
|
| Details | File | 2 | windowsactiondialog.exe |
|
| Details | File | 3 | wlrmdr.exe |
|
| Details | File | 3 | wmpdmc.exe |
|
| Details | File | 5 | wpcmon.exe |
|
| Details | File | 1 | wsatconfig.exe |
|
| Details | MITRE ATT&CK Techniques | 70 | T1574.001 |