azureEventHub_windows-sysmon.rules

# Sagan windows-sysmon.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************

# Sysmon| 1: Process Create: UtcTime: 2016-04-08 03:54:58.330 ProcessGuid: {E67F94C7-2B92-5707-0000-001050880400} ProcessId: 2004 Image: C:\\Windows\\System32\\audiodg.exe CommandLine: C:\\Windows\\system32\\AUDIODG.EXE 0x74c CurrentDirectory: C:\\Windows User: NT AUTHORITY\\LOCAL SERVICE LogonGuid: {E67F94C7-2A7B-5707-0000-0020E5030000} LogonId: 0x3e5 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA1=F033FD30AACD0183BFC30861891A92B56AC2468B,MD5=D5CCA1453B98A5801E6D5FF0FF89DC6C,SHA256=85F2C2480AAC31B6092187B431A562D79D4CFB1324F925C85055ABAB2483264B ParentProcessGuid: {E67F94C7-2A7B-5707-0000-00102A9E0000} ParentProcessId: 772 ParentImage: C:\\Windows\\System32\\svchost.exe ParentCommandLine: C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted

# Created by Champ Clark 04/08/2016. You'll need PSEXEC_MD5 defined in your sagan.conf!

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] PSExec execution detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; meta_content: "MD5=%sagan%,",$PSEXEC_MD5; classtype: suspicious-command; program: *Sysmon*; sid:5009779; metadata: created_on 2022_11_22, old_sid 5002799; rev:5;)


# Locky Ransomware
# Champ Clark 04/08/2016

# Sysmon| 1: Process Create: UtcTime: 2016-04-08 05:29:03.829 ProcessGuid: {E67F94C7-419F-5707-0000-00103FB11D00} ProcessId: 2920 Image: C:\\Windows\\System32\\notepad.exe CommandLine: "C:\\Windows\\system32\\NOTEPAD.EXE" C:\\Users\\frankw\\Desktop\\_HELP_instructions.txt CurrentDirectory: C:\\Users\\frankw\\AppData\\Local\\Temp\\ User: frankw-PC\\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=7EB0139D2175739B3CCB0D1110067820BE6ABD29,MD5=F2C7BB8ACC97F92E987A2D4087D021B1,SHA256=142E1D688EF0568370C37187FD9F2351D7DDEDA574F8BFA9B0FA4EF42DB85AA2 ParentProcessGuid: {E67F94C7-414A-5707-0000-001049CA1900} ParentProcessId: 1704 ParentImage: C:\\Users\\frankw\\AppData\\Local\\Temp\\30e22374e00af038d06063db14cb3797.exe ParentCommandLine: "C:\\Users\\frankw\\AppData\\Local\\Temp\\30e22374e00af038d06063db14cb3797.exe"

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Locky/CrypoMix ransomware instructions detected!"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; content: "notepad.exe"; nocase; content: "_HELP_instructions.txt "; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; program: *Sysmon*; sid:5009780; metadata: created_on 2022_11_22, old_sid 5002802; rev:8;)

# vssadmin.exe is sometimes used by malware to delete shadow volume copied. Below is Locky:
# Champ Clark 04/08/2016

# 1: Process Create: UtcTime: 2016-04-08 05:28:44.314 ProcessGuid: {E67F94C7-418C-5707-0000-00103EB31C00} ProcessId: 2404 Image: C:\\Windows\\System32\\vssadmin.exe CommandLine: vssadmin.exe Delete Shadows /All /Quiet CurrentDirectory: C:\\Users\\frankw\\AppData\\Local\\Temp\\ User: frankw-PC\\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=09FAFEB1B8404124B33C44440BE7E3FDB6105F8A,MD5=E23DD973E1444684EB36365DEFF1FC74,SHA256=4DE7FA20E3224382D8C4A81017E5BDD4673AFBEF9C0F017E203D7B78977FBF8C ParentProcessGuid: {E67F94C7-414A-5707-0000-001049CA1900} ParentProcessId: 1704 ParentImage: C:\\Users\\frankw\\AppData\\Local\\Temp\\30e22374e00af038d06063db14cb3797.exe ParentCommandLine: "C:\\Users\\frankw\\AppData\\Local\\Temp\\30e22374e00af038d06063db14cb3797.exe"

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] vssadmin.exe Delete Shadows execution. Possible ransomware"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; content: "vssadmin.exe"; nocase; content: "Delete Shadows"; nocase; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: trojan-activity; program: *Sysmon*; sid:5009781; metadata: created_on 2022_11_22, old_sid 5002803; rev:6;)

# daemon|notice|notice|1d|2016-04-08|05:52:28|Sysmon| 1: Process Create: UtcTime: 2016-04-08 05:52:28.315 ProcessGuid: {E67F94C7-471C-5707-0000-0010FB0B1A00} ProcessId: 688 Image: C:\\Windows\\System32\\wbem\\WMIC.exe CommandLine: "C:\\Windows\\System32\\wbem\\WMIC.exe" shadowcopy delete /nointeractive CurrentDirectory: C:\\Users\\frankw\\AppData\\Local\\Temp\\ User: frankw-PC\\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=071A645A88E4236281E58B90A5D50A2AC80E26E5,MD5=FD902835DEAEF4091799287736F3A028,SHA256=DA3AD32583644BD20116F0479C178F7C7C0B730728F4C02A438C0D19378C83D9 ParentProcessGuid: {E67F94C7-471A-5707-0000-0010DAF41900} ParentProcessId: 2796 ParentImage: C:\\Windows\\jacjfunqpvji.exe ParentCommandLine: C:\\Windows\\jacjfunqpvji.exe

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - shadowcopy delete"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; content: "wmic"; nocase; content: "shadowcopy delete"; nocase; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: suspicious-command; program: *Sysmon*; sid:5009782; metadata: created_on 2022_11_22, old_sid 5002810; rev:6;)

# daemon|notice|notice|1d|2016-04-09|03:56:50|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:50.199 ProcessGuid: {E67F94C7-7D82-5708-0000-001042E21B00} ProcessId: 2628 Image: C:\\Windows\\SysWOW64\\wbem\\WMIC.exe CommandLine: WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl CurrentDirectory: C:\\Users\\frankw\\AppData\\Local\\Temp\\nshD809.tmp\\ User: frankw-PC\\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF4 1A00} ParentProcessId: 3004 ParentImage: C:\\Users\\frankw\\AppData\\Local\\Temp\\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\\Users\\frankw\\AppData\\Local\\Temp\\b0fdb231b2d3740553c13c7762a9304e.exe"

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct GET UUID"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; content: "wmic"; nocase; content: "csproduct Get UUID"; nocase; classtype: suspicious-command; program: *Sysmon*; sid:5009783; metadata: created_on 2022_11_22, old_sid 5002811; rev:5;)

# daemon|notice|notice|1d|2016-04-09|03:56:50|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:50.870 ProcessGuid: {E67F94C7-7D82-5708-0000-0010C8731C00} ProcessId: 768 Image: C:\\Windows\\SysWOW64\\wbem\\WMIC.exe CommandLine: WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl CurrentDirectory: C:\\Users\\frankw\\AppData\\Local\\Temp\\nshD809.tmp\\ User: frankw-PC\\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF41A00} ParentProcessId: 3004 ParentImage: C:\\Users\\frankw\\AppData\\Local\\Temp\\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\\Users\\frankw\\AppData\\Local\\Temp\\b0fdb231b2d3740553c13c7762a9304e.exe"

# This is a duplicate with 5002814! Thank William!
# - Champ Clark 20220414
#
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: *Sysmon*; sid:5009784; metadata: created_on 2022_11_22, old_sid 5002812; rev:5;)

# daemon|notice|notice|1d|2016-04-09|03:56:51|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:51.432 ProcessGuid: {E67F94C7-7D83-5708-0000-001007D91C00} ProcessId: 2256 Image: C:\\Windows\\SysWOW64\\wbem\\WMIC.exe CommandLine: WMIC bios Get Version /FORMAT:textvaluelist.xsl CurrentDirectory: C:\\Users\\frankw\\AppData\\Local\\Temp\\nshD809.tmp\\ User: frankw-PC\\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF41A00} ParentProcessId: 3004 ParentImage: C:\\Users\\frankw\\AppData\\Local\\Temp\\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\\Users\\frankw\\AppData\\Local\\Temp\\b0fdb231b2d3740553c13c7762a9304e.exe"

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get Version"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; content: "wmic"; nocase; content: "bios Get Version"; nocase; classtype: suspicious-command; program: *Sysmon*; sid:5009785; metadata: created_on 2022_11_22, old_sid 5002813; rev:5;)

# daemon|notice|notice|1d|2016-04-09|03:57:49|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:57:49.213 ProcessGuid: {E67F94C7-7DBD-5708-0000-001099CD0600} ProcessId: 1420 Image: C:\\Windows\\SysWOW64\\wbem\\WMIC.exe CommandLine: WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl CurrentDirectory: C:\\Users\\frankw\\AppData\\Local\\Temp\\nsh1DDF.tmp\\ User: frankw-PC\\frankw LogonGuid: {E67F94C7-333C-5707-0000-0020CFB40100} LogonId: 0x1b4cf TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7DB4-5708-0000-00100B100600} ParentProcessId: 2628 ParentImage: C:\\Users\\frankw\\AppData\\Local\\Temp\\39e67671f65fae38e065f5db614f679c.exe ParentCommandLine: "C:\\Users\\frankw\\AppData\\Local\\Temp\\39e67671f65fae38e065f5db614f679c.exe"

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: *Sysmon*; sid:5009786; metadata: created_on 2022_11_22, old_sid 5002814; rev:5;)

# daemon|notice|notice|1d|2016-04-09|03:57:49|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:57:49.068 ProcessGuid: {E67F94C7-7DBD-5708-0000-0010AF1D0700} ProcessId: 668 Image: C:\\Windows\\SysWOW64\\wbem\\WMIC.exe CommandLine: WMIC csproduct Get Name /FORMAT:textvaluelist.xsl CurrentDirectory: C:\\Users\\frankw\\AppData\\Local\\Temp\\nsj3A92.tmp\\ User: frankw-PC\\frankw LogonGuid: {E67F94C7-333C-5707-0000-0020DCBC0100} LogonId: 0x1bcdc TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7DB3-5708-0000-0010143A0600} ParentProcessId: 592 ParentImage: C:\\Users\\frankw\\AppData\\Local\\Temp\\3f6811d8687a30b68fa02d6eb5536493.exe ParentCommandLine: "C:\\Users\\frankw\\AppData\\Local\\Temp\\3f6811d8687a30b68fa02d6eb5536493.exe"

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct Get Name"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; content: "wmic"; nocase; content: "csproduct Get Name"; nocase; classtype: suspicious-command; program: *Sysmon*; sid:5009787; metadata: created_on 2022_11_22, old_sid 5002815; rev:5;)

# daemon|notice|notice|1d|2016-04-09|03:55:09|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:55:09.240 ProcessGuid: {E67F94C7-7D1D-5708-0000-001041E40700} ProcessId: 1556 Image: C:\\Windows\\SysWOW64\\wbem\\WMIC.exe CommandLine: wmic computersystem get model /format:list CurrentDirectory: C:\\Users\\frankw\\AppData\\Local\\Temp\\ User: frankw-PC\\frankw LogonGuid: {E67F94C7-32FD-5707-0000-00203DB30100} LogonId: 0x1b33d TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D1C-5708-0000-0010CDC80700} ParentProcessId: 2936 ParentImage: C:\\Windows\\SysWOW64\\cmd.exe ParentCommandLine: "C:\\Windows\\system32\\cmd.exe" /C wmic computersystem get model /format:list

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - computersystem get model"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; content: "wmic"; nocase; content: "computersystem get model"; nocase; classtype: suspicious-command; program: *Sysmon*; sid:5009788; metadata: created_on 2022_11_22, old_sid 5002816; rev:5;)

# 2017-02-22 - Rule create by Champ Clark III based off Jack Crook's work. See:
# From Jack Crook via https://www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan/

##alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] IP detect in command line"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; pcre: "/CommandLine: (.*)([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/"; classtype: suspicious-command; program: *Sysmon*; meta_content:!"%sagan%", $RFC1918; meta_content:!"%sagan%", \\w32tm.exe,\\VMwareSensor.exe,\\bin\\java.exe,PRTG|20|Probe.exe; meta_nocase; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5009789; metadata: created_on 2022_11_22, old_sid 5003378; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Command line $\\ type request"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; pcre: "/CommandLine: (.*)\$\\\\(.*)/"; classtype: suspicious-command; program: *Sysmon*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5009790; metadata: created_on 2022_11_22, old_sid 5003379; rev:3;)

# This needs to be more targetted. Maybe merge with windows-powershell.rules?
#
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Powershell execution"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; pcre: "/CommandLine: (.*):\/\/(.*)/"; pcre: "/Image: (.*)powershell\.exe(.*)/i"; classtype: suspicious-command; program: *Sysmon*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5009791; metadata: created_on 2022_11_22, old_sid 5003380; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; pcre: "/CommandLine: (.*)cmd(.*)/i"; content: "OriginalFileName|22|:|22|Cmd.Exe|22|"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5009792; metadata: created_on 2022_11_22, old_sid 5003388; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible credential dumper execution"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; pcre: "/ImageLoad: (.*)(wdigest\.dll|kerberos\.dll|tspkg\.dll|sspicli\.dll|samsrv\.dll|secur32\.dll|samlib\.dll|wlanapi\.dll|vaultcli\.dll|cypt32\.dll|cryptdll\.dll|netapi\.dll|netlogon\.dll|msv1_0\.dll)(.*)/i"; program: *Sysmon*; xbits: isset,creddrump,track ip_src; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: suspicious-command; sid:5009793; metadata: created_on 2022_11_22, old_sid 5003390; rev:4;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible credential dumper execution"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 1; pcre: "/ImageLoad: (.*)(wdigest\.dll|kerberos\.dll|tspkg\.dll|sspicli\.dll|samsrv\.dll|secur32\.dll|samlib\.dll|wlanapi\.dll|vaultcli\.dll|cypt32\.dll|cryptdll\.dll|netapi\.dll|netlogon\.dll|msv1_0\.dll)(.*)/i"; program: *Sysmon*; xbits: set,creddrump,track ip_src, expire 1; xbits: noeve; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; metadata: created_on 2022_11_22, endpoint_command SHUTDOWN; classtype: suspicious-command; sid:5009794; metadata: created_on 2022_11_22, old_sid 5003391; rev:5;)

#Built off of IOC's for Golden Saml attack: By SDrenning
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-SYSMON] Connection to Windows TSQL Database detected"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 17,18; content: "|5c 5c|MICROSOFT|23 23|WID|5c 5c|tsql|5c 5c|query";nocase; content:!"Microsoft.IdentityServer.ServiceHost.exe";nocase; content:!"Microsoft.Identity.Health.Adfs.PshSurrogate.exe";nocase; content:!"AzureADConnect.exe";nocase; content:!"Microsoft.Tri.Sensor.exe";nocase; content:!"wsmprovhost.exe";nocase; content:!"mmc.exe";nocase; content:!"sqlservr.exe";nocase; metadata: created_on 2022_11_22, Host ASDF; classtype: system-event; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url,sygnia.co/golden-saml-advisory; sid:5009795; metadata: created_on 2022_11_22, old_sid 5005957; rev:1;)

#IOC developed from commands obsered in Ukrain Ransomware. Triggers off of internal windows API call to disable crash logging. sdrenning! 20220306
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-SYSMON] Possible Command To Disable Crash Logging Detected"; program: *Security*|*Sysmon*|*PowerShell*; content:"RegSetValueExW";nocase; content: "CrashDumpEnabled";nocase; distance:1; within: 50; content:"0x0"; distance:1; within:10; threshold: type suppress, track by_username, count 1, seconds 300; classtype: ransomware; reference: url,crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine; reference: url,welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine; sid:5009796; metadata: created_on 2022_11_22, old_sid 5005993; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious Base64 Encoded Commands [1/2]"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:1; content: "powershell"; nocase; meta_content:" -%sagan% ",e,ec,enc,EncodedCommand; meta_content:" %sagan%",JAB,TVq,SUVY,SQBFAF,SQBuAH,aWV4,aQBlA,Y21k,Qzpc,Yzpc,UEs; meta_within:100; reference:url,gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639; classtype:suspicious-command; sid:5009797; metadata: created_on 2022_11_22, old_sid 5007158; rev:1;)

#Added by bsmith on 19 Sept. 2022
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Attack on Sysmon - Possible Driver Unload"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:255; content:"ID: DriverCommunication"; nocase; reference:url,codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html; reference:url,github.com/matterpreter/Shhmon; reference:url,posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650; classtype:suspicious-command; sid:5009798; metadata: created_on 2022_11_22, old_sid 5007696; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Attack on Sysmon - SysmonDrv Registry value set"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:12,13; content:"EventType: setValue"; nocase; content:"Targetobject|3a|"; nocase; content:"\\SysmonDrv\\"; nocase; distance:0; reference:url,codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html; reference:url,github.com/matterpreter/Shhmon; reference:url,talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html; classtype:suspicious-command; sid:5009799; metadata: created_on 2022_11_22, old_sid 5007697; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Attack on Sysmon - Process Injection"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:10; content:"TargetImage|3a|"; nocase; meta_content:"%sagan%",sysmon.exe,sysmon64.exe; meta_distance:0; meta_nocase; content:"GrantedAccess|3a| 0x1FFFFF"; nocase; reference:url,codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html; reference:url,github.com/matterpreter/Shhmon; classtype:suspicious-command; sid:5009800; metadata: created_on 2022_11_22, old_sid 5007698; rev:1;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Attack on Sysmon - SysmonEnte Detected"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:10; content:"TargetImage|3a|"; nocase; meta_content:"%sagan%",sysmon.exe,sysmon64.exe; meta_distance:0; meta_nocase; content:"CallTrace|3a| Ente"; nocase; reference:url,codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html; reference:url,github.com/matterpreter/Shhmon; classtype:suspicious-command; sid:5009801; metadata: created_on 2022_11_22, old_sid 5007699; rev:1;)

# 2022-10-05 - Bryant Smith
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wsc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\AVAST Software\\Avast\\,c:\\program files (x86)\\AVAST Software\\Avast\\; meta_nocase; content:"\\wsc.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/avast/wsc.html; classtype:suspicious-command; sid:5009802; metadata: created_on 2022_11_22, old_sid 5007737; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of log.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\Bitdefender Antivirus Free\\,c:\\program files (x86)\\Bitdefender Antivirus Free\\; meta_nocase; content:"\\log.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/bitdefender/log.html; classtype:suspicious-command; sid:5009803; metadata: created_on 2022_11_22, old_sid 5007738; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of qrt.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\F-Secure\\Anti-Virus\\,c:\\program files (x86)\\F-Secure\\Anti-Virus\\; meta_nocase; content:"\\qrt.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/f-secure/qrt.html; classtype:suspicious-command; sid:5009804; metadata: created_on 2022_11_22, old_sid 5007739; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of chrome_frame_helper.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",\\appdata\\local\\Google\\Chrome\\Application\\,c:\\program files\\Google\\Chrome\\Application\\,c:\\program files|20|(x86)\\Google\\Chrome\\Application\\; meta_nocase; content:"\\chrome_frame_helper.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html; classtype:suspicious-command; sid:5009805; metadata: created_on 2022_11_22, old_sid 5007740; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of commfunc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\Lenovo\\Communications Utility\\,c:\\program files (x86)\\Lenovo\\Communications Utility\\; meta_nocase; content:"\\commfunc.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/lenovo/commfunc.html; classtype:suspicious-command; sid:5009806; metadata: created_on 2022_11_22, old_sid 5007741; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ashldres.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\McAfee.com\\VSO\\,c:\\program files (x86)\\McAfee.com\\VSO\\; meta_nocase; content:"\\ashldres.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/mcafee/ashldres.html; classtype:suspicious-command; sid:5009807; metadata: created_on 2022_11_22, old_sid 5007742; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of lockdown.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\McAfee\\VirusScan Enterprise\\,c:\\program files (x86)\\McAfee\\VirusScan Enterprise\\; meta_nocase; content:"\\lockdown.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/mcafee/lockdown.html; classtype:suspicious-command; sid:5009808; metadata: created_on 2022_11_22, old_sid 5007743; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of vsodscpl.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\McAfee\\VirusScan Enterprise\\,c:\\program files (x86)\\McAfee\\VirusScan Enterprise\\; meta_nocase; content:"\\vsodscpl.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/mcafee/vsodscpl.html; classtype:suspicious-command; sid:5009809; metadata: created_on 2022_11_22, old_sid 5007744; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of providers.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:"\\providers.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/npm/providers.html; classtype:suspicious-command; sid:5009810; metadata: created_on 2022_11_22, old_sid 5007745; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of tosbtkbd.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\Toshiba\\Bluetooth Toshiba Stack\\,c:\\program files (x86)\\Toshiba\\Bluetooth Toshiba Stack\\; meta_nocase; content:"\\tosbtkbd.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/toshiba/tosbtkbd.html; classtype:suspicious-command; sid:5009811; metadata: created_on 2022_11_22, old_sid 5007746; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of tmtap.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:"\\tmtap.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/trendmicro/tmtap.html; classtype:suspicious-command; sid:5009812; metadata: created_on 2022_11_22, old_sid 5007747; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of utiluniclient.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:"\\utiluniclient.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/trendmicro/utiluniclient.html; classtype:suspicious-command; sid:5009813; metadata: created_on 2022_11_22, old_sid 5007748; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of shfolder.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\shfolder.dll"; nocase; reference:url,hijacklibs.net/entries/3rd_party/vmware/shfolder.html; classtype:suspicious-command; sid:5009814; metadata: created_on 2022_11_22, old_sid 5007749; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of aclui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\aclui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/aclui.html; classtype:suspicious-command; sid:5009815; metadata: created_on 2022_11_22, old_sid 5007750; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of activeds.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\activeds.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/activeds.html; classtype:suspicious-command; sid:5009816; metadata: created_on 2022_11_22, old_sid 5007751; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of adsldpc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\adsldpc.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/adsldpc.html; classtype:suspicious-command; sid:5009817; metadata: created_on 2022_11_22, old_sid 5007752; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of aepic.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\aepic.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/aepic.html; classtype:suspicious-command; sid:5009818; metadata: created_on 2022_11_22, old_sid 5007753; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of apphelp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\apphelp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/apphelp.html; classtype:suspicious-command; sid:5009819; metadata: created_on 2022_11_22, old_sid 5007754; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of applicationframe.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\applicationframe.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/applicationframe.html; classtype:suspicious-command; sid:5009820; metadata: created_on 2022_11_22, old_sid 5007755; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of appvpolicy.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\appvpolicy.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/appvpolicy.html; classtype:suspicious-command; sid:5009821; metadata: created_on 2022_11_22, old_sid 5007756; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of appxalluserstore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\appxalluserstore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/appxalluserstore.html; classtype:suspicious-command; sid:5009822; metadata: created_on 2022_11_22, old_sid 5007757; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of appxdeploymentclient.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\appxdeploymentclient.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/appxdeploymentclient.html; classtype:suspicious-command; sid:5009823; metadata: created_on 2022_11_22, old_sid 5007758; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of archiveint.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\archiveint.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/archiveint.html; classtype:suspicious-command; sid:5009824; metadata: created_on 2022_11_22, old_sid 5007759; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of atl.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\atl.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/atl.html; classtype:suspicious-command; sid:5009825; metadata: created_on 2022_11_22, old_sid 5007760; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of audioses.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\audioses.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/audioses.html; classtype:suspicious-command; sid:5009826; metadata: created_on 2022_11_22, old_sid 5007761; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of auditpolcore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\auditpolcore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/auditpolcore.html; classtype:suspicious-command; sid:5009827; metadata: created_on 2022_11_22, old_sid 5007762; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of authfwcfg.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\authfwcfg.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/authfwcfg.html; classtype:suspicious-command; sid:5009828; metadata: created_on 2022_11_22, old_sid 5007763; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of authz.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\authz.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/authz.html; classtype:suspicious-command; sid:5009829; metadata: created_on 2022_11_22, old_sid 5007764; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of avrt.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\avrt.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/avrt.html; classtype:suspicious-command; sid:5009830; metadata: created_on 2022_11_22, old_sid 5007765; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of batmeter.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\batmeter.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/batmeter.html; classtype:suspicious-command; sid:5009831; metadata: created_on 2022_11_22, old_sid 5007766; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of bcd.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\bcd.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/bcd.html; classtype:suspicious-command; sid:5009832; metadata: created_on 2022_11_22, old_sid 5007767; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of bcp47langs.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\bcp47langs.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/bcp47langs.html; classtype:suspicious-command; sid:5009833; metadata: created_on 2022_11_22, old_sid 5007768; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of bcp47mrm.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\bcp47mrm.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/bcp47mrm.html; classtype:suspicious-command; sid:5009834; metadata: created_on 2022_11_22, old_sid 5007769; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of bcrypt.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\bcrypt.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/bcrypt.html; classtype:suspicious-command; sid:5009835; metadata: created_on 2022_11_22, old_sid 5007770; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of bderepair.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\bderepair.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/bderepair.html; classtype:suspicious-command; sid:5009836; metadata: created_on 2022_11_22, old_sid 5007771; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of bootmenuux.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\bootmenuux.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/bootmenuux.html; classtype:suspicious-command; sid:5009837; metadata: created_on 2022_11_22, old_sid 5007772; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of bootux.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\bootux.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/bootux.html; classtype:suspicious-command; sid:5009838; metadata: created_on 2022_11_22, old_sid 5007773; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cabinet.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cabinet.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cabinet.html; classtype:suspicious-command; sid:5009839; metadata: created_on 2022_11_22, old_sid 5007774; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cabview.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cabview.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cabview.html; classtype:suspicious-command; sid:5009840; metadata: created_on 2022_11_22, old_sid 5007775; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of certcli.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\certcli.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/certcli.html; classtype:suspicious-command; sid:5009841; metadata: created_on 2022_11_22, old_sid 5007776; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of certenroll.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\certenroll.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/certenroll.html; classtype:suspicious-command; sid:5009842; metadata: created_on 2022_11_22, old_sid 5007777; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cldapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cldapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cldapi.html; classtype:suspicious-command; sid:5009843; metadata: created_on 2022_11_22, old_sid 5007778; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of clipc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\clipc.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/clipc.html; classtype:suspicious-command; sid:5009844; metadata: created_on 2022_11_22, old_sid 5007779; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of clusapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\clusapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/clusapi.html; classtype:suspicious-command; sid:5009845; metadata: created_on 2022_11_22, old_sid 5007780; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cmpbk32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cmpbk32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cmpbk32.html; classtype:suspicious-command; sid:5009846; metadata: created_on 2022_11_22, old_sid 5007781; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cmutil.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cmutil.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cmutil.html; classtype:suspicious-command; sid:5009847; metadata: created_on 2022_11_22, old_sid 5007782; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of coloradapterclient.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\coloradapterclient.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/coloradapterclient.html; classtype:suspicious-command; sid:5009848; metadata: created_on 2022_11_22, old_sid 5007783; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of colorui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\colorui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/colorui.html; classtype:suspicious-command; sid:5009849; metadata: created_on 2022_11_22, old_sid 5007784; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of comdlg32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\comdlg32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/comdlg32.html; classtype:suspicious-command; sid:5009850; metadata: created_on 2022_11_22, old_sid 5007785; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of configmanager2.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\configmanager2.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/configmanager2.html; classtype:suspicious-command; sid:5009851; metadata: created_on 2022_11_22, old_sid 5007786; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of connect.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\connect.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/connect.html; classtype:suspicious-command; sid:5009852; metadata: created_on 2022_11_22, old_sid 5007787; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of coredplus.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\coredplus.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/coredplus.html; classtype:suspicious-command; sid:5009853; metadata: created_on 2022_11_22, old_sid 5007788; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of coremessaging.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\coremessaging.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/coremessaging.html; classtype:suspicious-command; sid:5009854; metadata: created_on 2022_11_22, old_sid 5007789; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of coreuicomponents.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\coreuicomponents.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/coreuicomponents.html; classtype:suspicious-command; sid:5009855; metadata: created_on 2022_11_22, old_sid 5007790; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of credui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\credui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/credui.html; classtype:suspicious-command; sid:5009856; metadata: created_on 2022_11_22, old_sid 5007791; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cryptbase.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cryptbase.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cryptbase.html; classtype:suspicious-command; sid:5009857; metadata: created_on 2022_11_22, old_sid 5007792; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cryptdll.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cryptdll.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cryptdll.html; classtype:suspicious-command; sid:5009858; metadata: created_on 2022_11_22, old_sid 5007793; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cryptsp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cryptsp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cryptsp.html; classtype:suspicious-command; sid:5009859; metadata: created_on 2022_11_22, old_sid 5007794; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cryptui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cryptui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cryptui.html; classtype:suspicious-command; sid:5009860; metadata: created_on 2022_11_22, old_sid 5007795; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cryptxml.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cryptxml.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cryptxml.html; classtype:suspicious-command; sid:5009861; metadata: created_on 2022_11_22, old_sid 5007796; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cscapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cscapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cscapi.html; classtype:suspicious-command; sid:5009862; metadata: created_on 2022_11_22, old_sid 5007797; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cscobj.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cscobj.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cscobj.html; classtype:suspicious-command; sid:5009863; metadata: created_on 2022_11_22, old_sid 5007798; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of cscui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\cscui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/cscui.html; classtype:suspicious-command; sid:5009864; metadata: created_on 2022_11_22, old_sid 5007799; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of d2d1.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\d2d1.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/d2d1.html; classtype:suspicious-command; sid:5009865; metadata: created_on 2022_11_22, old_sid 5007800; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of d3d10.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\d3d10.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/d3d10.html; classtype:suspicious-command; sid:5009866; metadata: created_on 2022_11_22, old_sid 5007801; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of d3d10_1.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\d3d10_1.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/d3d10_1.html; classtype:suspicious-command; sid:5009867; metadata: created_on 2022_11_22, old_sid 5007802; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of d3d10_1core.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\d3d10_1core.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/d3d10_1core.html; classtype:suspicious-command; sid:5009868; metadata: created_on 2022_11_22, old_sid 5007803; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of d3d10core.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\d3d10core.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/d3d10core.html; classtype:suspicious-command; sid:5009869; metadata: created_on 2022_11_22, old_sid 5007804; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of d3d10warp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\d3d10warp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/d3d10warp.html; classtype:suspicious-command; sid:5009870; metadata: created_on 2022_11_22, old_sid 5007805; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of d3d11.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\d3d11.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/d3d11.html; classtype:suspicious-command; sid:5009871; metadata: created_on 2022_11_22, old_sid 5007806; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of d3d12.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\d3d12.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/d3d12.html; classtype:suspicious-command; sid:5009872; metadata: created_on 2022_11_22, old_sid 5007807; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of d3d9.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\d3d9.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/d3d9.html; classtype:suspicious-command; sid:5009873; metadata: created_on 2022_11_22, old_sid 5007808; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of d3dcompiler_47.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\windows kits\\10\\bin\\*\x64\\,c:\\program files (x86)\\windows kits\\10\\bin\\*\x64\\,c:\\program files\\windows kits\\10\\bin\\*\x86\\,c:\\program files (x86)\\windows kits\\10\\bin\\*\x86\\,c:\\program files\\windows kits\\10\\redist\\d3d\\x64\\,c:\\program files (x86)\\windows kits\\10\\redist\\d3d\\x64\\,c:\\program files\\windows kits\\10\\redist\\d3d\\x86\\,c:\\program files (x86)\\windows kits\\10\\redist\\d3d\\x86\\,c:\\program files\\wireshark\\,c:\\program files (x86)\\wireshark\\,c:\\program files\\cisco systems\\cisco jabber\\,c:\\program files (x86)\\cisco systems\\cisco jabber\\,c:\\program files\\microsoft\\edge\\application\\*\,c:\\program files (x86)\\microsoft\\edge\\application\\*\,c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\d3dcompiler_47.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/d3dcompiler_47.html; classtype:suspicious-command; sid:5009874; metadata: created_on 2022_11_22, old_sid 5007809; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dataexchange.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dataexchange.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dataexchange.html; classtype:suspicious-command; sid:5009875; metadata: created_on 2022_11_22, old_sid 5007810; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of davclnt.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\davclnt.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/davclnt.html; classtype:suspicious-command; sid:5009876; metadata: created_on 2022_11_22, old_sid 5007811; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dbgcore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\windows kits\\10\\debuggers\\arm\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\arm\\,c:\\program files\\windows kits\\10\\debuggers\\arm\\srcsrv\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\arm\\srcsrv\\,c:\\program files\\windows kits\\10\\debuggers\\arm64\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\arm64\\,c:\\program files\\windows kits\\10\\debuggers\\arm64\\srcsrv\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\arm64\\srcsrv\\,c:\\program files\\windows kits\\10\\debuggers\\x64\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\x64\\,c:\\program files\\windows kits\\10\\debuggers\\x64\\srcsrv\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\x64\\srcsrv\\,c:\\program files\\windows kits\\10\\debuggers\\x86\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\x86\\,c:\\program files\\windows kits\\10\\debuggers\\x86\\srcsrv\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\x86\\srcsrv\\,c:\\program files\\microsoft office\\root\\office*\\,c:\\program files (x86)\\microsoft office\\root\\office*\\,c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dbgcore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dbgcore.html; classtype:suspicious-command; sid:5009877; metadata: created_on 2022_11_22, old_sid 5007812; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dbghelp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\windows kits\\10\\debuggers\\arm\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\arm\\,c:\\program files\\windows kits\\10\\debuggers\\arm\\srcsrv\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\arm\\srcsrv\\,c:\\program files\\windows kits\\10\\debuggers\\arm64\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\arm64\\,c:\\program files\\windows kits\\10\\debuggers\\arm64\\srcsrv\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\arm64\\srcsrv\\,c:\\program files\\windows kits\\10\\debuggers\\x64\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\x64\\,c:\\program files\\windows kits\\10\\debuggers\\x64\\srcsrv\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\x64\\srcsrv\\,c:\\program files\\windows kits\\10\\debuggers\\x86\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\x86\\,c:\\program files\\windows kits\\10\\debuggers\\x86\\srcsrv\\,c:\\program files (x86)\\windows kits\\10\\debuggers\\x86\\srcsrv\\,c:\\program files\\cisco systems\\cisco jabber\\,c:\\program files (x86)\\cisco systems\\cisco jabber\\,c:\\program files\\microsoft office\\root\\office*\\,c:\\program files (x86)\\microsoft office\\root\\office*\\,c:\\program files\\microsoft office\\root\\vfs\\programfilesx86\\microsoft analysis services\\as oledb\\140\\,c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx86\\microsoft analysis services\\as oledb\\140\\,c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dbghelp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dbghelp.html; classtype:suspicious-command; sid:5009878; metadata: created_on 2022_11_22, old_sid 5007813; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dcntel.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\dcntel.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dcntel.html; classtype:suspicious-command; sid:5009879; metadata: created_on 2022_11_22, old_sid 5007814; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dcomp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dcomp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dcomp.html; classtype:suspicious-command; sid:5009880; metadata: created_on 2022_11_22, old_sid 5007815; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of defragproxy.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\defragproxy.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/defragproxy.html; classtype:suspicious-command; sid:5009881; metadata: created_on 2022_11_22, old_sid 5007816; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of desktopshellext.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\desktopshellext.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/desktopshellext.html; classtype:suspicious-command; sid:5009882; metadata: created_on 2022_11_22, old_sid 5007817; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of deviceassociation.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\deviceassociation.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/deviceassociation.html; classtype:suspicious-command; sid:5009883; metadata: created_on 2022_11_22, old_sid 5007818; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of devicecredential.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\devicecredential.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/devicecredential.html; classtype:suspicious-command; sid:5009884; metadata: created_on 2022_11_22, old_sid 5007819; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of devicepairing.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\devicepairing.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/devicepairing.html; classtype:suspicious-command; sid:5009885; metadata: created_on 2022_11_22, old_sid 5007820; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of devobj.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\devobj.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/devobj.html; classtype:suspicious-command; sid:5009886; metadata: created_on 2022_11_22, old_sid 5007821; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of devrtl.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\devrtl.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/devrtl.html; classtype:suspicious-command; sid:5009887; metadata: created_on 2022_11_22, old_sid 5007822; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dhcpcmonitor.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dhcpcmonitor.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dhcpcmonitor.html; classtype:suspicious-command; sid:5009888; metadata: created_on 2022_11_22, old_sid 5007823; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dhcpcsvc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dhcpcsvc.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dhcpcsvc.html; classtype:suspicious-command; sid:5009889; metadata: created_on 2022_11_22, old_sid 5007824; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dhcpcsvc6.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dhcpcsvc6.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dhcpcsvc6.html; classtype:suspicious-command; sid:5009890; metadata: created_on 2022_11_22, old_sid 5007825; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of directmanipulation.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\directmanipulation.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/directmanipulation.html; classtype:suspicious-command; sid:5009891; metadata: created_on 2022_11_22, old_sid 5007826; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dismapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dismapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dismapi.html; classtype:suspicious-command; sid:5009892; metadata: created_on 2022_11_22, old_sid 5007827; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dismcore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\dism\\,c:\\windows\\syswow64\\dism\\; meta_nocase; content:"\\dismcore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dismcore.html; classtype:suspicious-command; sid:5009893; metadata: created_on 2022_11_22, old_sid 5007828; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dmcfgutils.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dmcfgutils.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dmcfgutils.html; classtype:suspicious-command; sid:5009894; metadata: created_on 2022_11_22, old_sid 5007829; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dmcmnutils.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dmcmnutils.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dmcmnutils.html; classtype:suspicious-command; sid:5009895; metadata: created_on 2022_11_22, old_sid 5007830; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dmcommandlineutils.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dmcommandlineutils.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dmcommandlineutils.html; classtype:suspicious-command; sid:5009896; metadata: created_on 2022_11_22, old_sid 5007831; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dmenrollengine.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dmenrollengine.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dmenrollengine.html; classtype:suspicious-command; sid:5009897; metadata: created_on 2022_11_22, old_sid 5007832; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dmenterprisediagnostics.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\dmenterprisediagnostics.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dmenterprisediagnostics.html; classtype:suspicious-command; sid:5009898; metadata: created_on 2022_11_22, old_sid 5007833; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dmiso8601utils.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dmiso8601utils.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dmiso8601utils.html; classtype:suspicious-command; sid:5009899; metadata: created_on 2022_11_22, old_sid 5007834; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dmoleaututils.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dmoleaututils.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dmoleaututils.html; classtype:suspicious-command; sid:5009900; metadata: created_on 2022_11_22, old_sid 5007835; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dmprocessxmlfiltered.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dmprocessxmlfiltered.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dmprocessxmlfiltered.html; classtype:suspicious-command; sid:5009901; metadata: created_on 2022_11_22, old_sid 5007836; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dmpushproxy.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dmpushproxy.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dmpushproxy.html; classtype:suspicious-command; sid:5009902; metadata: created_on 2022_11_22, old_sid 5007837; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dmxmlhelputils.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dmxmlhelputils.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dmxmlhelputils.html; classtype:suspicious-command; sid:5009903; metadata: created_on 2022_11_22, old_sid 5007838; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dnsapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dnsapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dnsapi.html; classtype:suspicious-command; sid:5009904; metadata: created_on 2022_11_22, old_sid 5007839; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dot3api.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dot3api.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dot3api.html; classtype:suspicious-command; sid:5009905; metadata: created_on 2022_11_22, old_sid 5007840; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dot3cfg.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dot3cfg.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dot3cfg.html; classtype:suspicious-command; sid:5009906; metadata: created_on 2022_11_22, old_sid 5007841; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dpx.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dpx.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dpx.html; classtype:suspicious-command; sid:5009907; metadata: created_on 2022_11_22, old_sid 5007842; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of drprov.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\drprov.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/drprov.html; classtype:suspicious-command; sid:5009908; metadata: created_on 2022_11_22, old_sid 5007843; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of drvstore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\drvstore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/drvstore.html; classtype:suspicious-command; sid:5009909; metadata: created_on 2022_11_22, old_sid 5007844; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dsclient.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dsclient.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dsclient.html; classtype:suspicious-command; sid:5009910; metadata: created_on 2022_11_22, old_sid 5007845; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dsparse.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dsparse.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dsparse.html; classtype:suspicious-command; sid:5009911; metadata: created_on 2022_11_22, old_sid 5007846; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dsprop.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dsprop.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dsprop.html; classtype:suspicious-command; sid:5009912; metadata: created_on 2022_11_22, old_sid 5007847; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dsreg.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dsreg.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dsreg.html; classtype:suspicious-command; sid:5009913; metadata: created_on 2022_11_22, old_sid 5007848; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dsrole.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dsrole.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dsrole.html; classtype:suspicious-command; sid:5009914; metadata: created_on 2022_11_22, old_sid 5007849; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dui70.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dui70.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dui70.html; classtype:suspicious-command; sid:5009915; metadata: created_on 2022_11_22, old_sid 5007850; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of duser.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\duser.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/duser.html; classtype:suspicious-command; sid:5009916; metadata: created_on 2022_11_22, old_sid 5007851; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dusmapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dusmapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dusmapi.html; classtype:suspicious-command; sid:5009917; metadata: created_on 2022_11_22, old_sid 5007852; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dwmapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dwmapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dwmapi.html; classtype:suspicious-command; sid:5009918; metadata: created_on 2022_11_22, old_sid 5007853; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dwmcore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\dwmcore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dwmcore.html; classtype:suspicious-command; sid:5009919; metadata: created_on 2022_11_22, old_sid 5007854; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dwrite.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dwrite.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dwrite.html; classtype:suspicious-command; sid:5009920; metadata: created_on 2022_11_22, old_sid 5007855; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dxcore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dxcore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dxcore.html; classtype:suspicious-command; sid:5009921; metadata: created_on 2022_11_22, old_sid 5007856; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dxgi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dxgi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dxgi.html; classtype:suspicious-command; sid:5009922; metadata: created_on 2022_11_22, old_sid 5007857; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dxva2.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\dxva2.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dxva2.html; classtype:suspicious-command; sid:5009923; metadata: created_on 2022_11_22, old_sid 5007858; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of dynamoapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\dynamoapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/dynamoapi.html; classtype:suspicious-command; sid:5009924; metadata: created_on 2022_11_22, old_sid 5007859; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of eappcfg.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\eappcfg.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/eappcfg.html; classtype:suspicious-command; sid:5009925; metadata: created_on 2022_11_22, old_sid 5007860; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of eappprxy.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\eappprxy.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/eappprxy.html; classtype:suspicious-command; sid:5009926; metadata: created_on 2022_11_22, old_sid 5007861; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of edgeiso.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\edgeiso.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/edgeiso.html; classtype:suspicious-command; sid:5009927; metadata: created_on 2022_11_22, old_sid 5007862; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of edputil.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\edputil.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/edputil.html; classtype:suspicious-command; sid:5009928; metadata: created_on 2022_11_22, old_sid 5007863; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of efsadu.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\efsadu.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/efsadu.html; classtype:suspicious-command; sid:5009929; metadata: created_on 2022_11_22, old_sid 5007864; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of efsutil.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\efsutil.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/efsutil.html; classtype:suspicious-command; sid:5009930; metadata: created_on 2022_11_22, old_sid 5007865; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of esent.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\esent.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/esent.html; classtype:suspicious-command; sid:5009931; metadata: created_on 2022_11_22, old_sid 5007866; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of execmodelproxy.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\execmodelproxy.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/execmodelproxy.html; classtype:suspicious-command; sid:5009932; metadata: created_on 2022_11_22, old_sid 5007867; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of explorerframe.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\explorerframe.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/explorerframe.html; classtype:suspicious-command; sid:5009933; metadata: created_on 2022_11_22, old_sid 5007868; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fastprox.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\wbem\\,c:\\windows\\syswow64\\wbem\\; meta_nocase; content:"\\fastprox.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fastprox.html; classtype:suspicious-command; sid:5009934; metadata: created_on 2022_11_22, old_sid 5007869; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of faultrep.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\faultrep.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/faultrep.html; classtype:suspicious-command; sid:5009935; metadata: created_on 2022_11_22, old_sid 5007870; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fddevquery.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\fddevquery.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fddevquery.html; classtype:suspicious-command; sid:5009936; metadata: created_on 2022_11_22, old_sid 5007871; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of feclient.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\feclient.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/feclient.html; classtype:suspicious-command; sid:5009937; metadata: created_on 2022_11_22, old_sid 5007872; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fhcfg.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\fhcfg.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fhcfg.html; classtype:suspicious-command; sid:5009938; metadata: created_on 2022_11_22, old_sid 5007873; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fhsvcctl.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\fhsvcctl.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fhsvcctl.html; classtype:suspicious-command; sid:5009939; metadata: created_on 2022_11_22, old_sid 5007874; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of firewallapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\firewallapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/firewallapi.html; classtype:suspicious-command; sid:5009940; metadata: created_on 2022_11_22, old_sid 5007875; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of flightsettings.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\flightsettings.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/flightsettings.html; classtype:suspicious-command; sid:5009941; metadata: created_on 2022_11_22, old_sid 5007876; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fltlib.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\fltlib.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fltlib.html; classtype:suspicious-command; sid:5009942; metadata: created_on 2022_11_22, old_sid 5007877; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of framedynos.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\framedynos.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/framedynos.html; classtype:suspicious-command; sid:5009943; metadata: created_on 2022_11_22, old_sid 5007878; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fveapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\fveapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fveapi.html; classtype:suspicious-command; sid:5009944; metadata: created_on 2022_11_22, old_sid 5007879; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fveskybackup.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\fveskybackup.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fveskybackup.html; classtype:suspicious-command; sid:5009945; metadata: created_on 2022_11_22, old_sid 5007880; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fvewiz.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\fvewiz.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fvewiz.html; classtype:suspicious-command; sid:5009946; metadata: created_on 2022_11_22, old_sid 5007881; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fwbase.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\fwbase.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fwbase.html; classtype:suspicious-command; sid:5009947; metadata: created_on 2022_11_22, old_sid 5007882; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fwcfg.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\fwcfg.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fwcfg.html; classtype:suspicious-command; sid:5009948; metadata: created_on 2022_11_22, old_sid 5007883; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fwpolicyiomgr.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\fwpolicyiomgr.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fwpolicyiomgr.html; classtype:suspicious-command; sid:5009949; metadata: created_on 2022_11_22, old_sid 5007884; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fwpuclnt.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\fwpuclnt.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fwpuclnt.html; classtype:suspicious-command; sid:5009950; metadata: created_on 2022_11_22, old_sid 5007885; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fxsapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\system32\\driverstore\\filerepository\\prnms002.inf_*\\amd64\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\fxsapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fxsapi.html; classtype:suspicious-command; sid:5009951; metadata: created_on 2022_11_22, old_sid 5007886; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fxsst.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\fxsst.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fxsst.html; classtype:suspicious-command; sid:5009952; metadata: created_on 2022_11_22, old_sid 5007887; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of fxstiff.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\system32\\driverstore\\filerepository\\prnms002.inf_*\\amd64\\; meta_nocase; content:"\\fxstiff.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/fxstiff.html; classtype:suspicious-command; sid:5009953; metadata: created_on 2022_11_22, old_sid 5007888; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of getuname.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\getuname.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/getuname.html; classtype:suspicious-command; sid:5009954; metadata: created_on 2022_11_22, old_sid 5007889; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of gpapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\gpapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/gpapi.html; classtype:suspicious-command; sid:5009955; metadata: created_on 2022_11_22, old_sid 5007890; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of hid.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\hid.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/hid.html; classtype:suspicious-command; sid:5009956; metadata: created_on 2022_11_22, old_sid 5007891; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of hnetmon.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\hnetmon.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/hnetmon.html; classtype:suspicious-command; sid:5009957; metadata: created_on 2022_11_22, old_sid 5007892; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of httpapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\httpapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/httpapi.html; classtype:suspicious-command; sid:5009958; metadata: created_on 2022_11_22, old_sid 5007893; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of icmp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\icmp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/icmp.html; classtype:suspicious-command; sid:5009959; metadata: created_on 2022_11_22, old_sid 5007894; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of idstore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\idstore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/idstore.html; classtype:suspicious-command; sid:5009960; metadata: created_on 2022_11_22, old_sid 5007895; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ieadvpack.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ieadvpack.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ieadvpack.html; classtype:suspicious-command; sid:5009961; metadata: created_on 2022_11_22, old_sid 5007896; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of iedkcs32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\iedkcs32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/iedkcs32.html; classtype:suspicious-command; sid:5009962; metadata: created_on 2022_11_22, old_sid 5007897; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of iertutil.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\iertutil.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/iertutil.html; classtype:suspicious-command; sid:5009963; metadata: created_on 2022_11_22, old_sid 5007898; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ifmon.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ifmon.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ifmon.html; classtype:suspicious-command; sid:5009964; metadata: created_on 2022_11_22, old_sid 5007899; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ifsutil.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ifsutil.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ifsutil.html; classtype:suspicious-command; sid:5009965; metadata: created_on 2022_11_22, old_sid 5007900; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of inproclogger.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\inproclogger.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/inproclogger.html; classtype:suspicious-command; sid:5009966; metadata: created_on 2022_11_22, old_sid 5007901; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of iphlpapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\iphlpapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/iphlpapi.html; classtype:suspicious-command; sid:5009967; metadata: created_on 2022_11_22, old_sid 5007902; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of iri.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\iri.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/iri.html; classtype:suspicious-command; sid:5009968; metadata: created_on 2022_11_22, old_sid 5007903; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of iscsidsc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\iscsidsc.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/iscsidsc.html; classtype:suspicious-command; sid:5009969; metadata: created_on 2022_11_22, old_sid 5007904; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of iscsium.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\iscsium.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/iscsium.html; classtype:suspicious-command; sid:5009970; metadata: created_on 2022_11_22, old_sid 5007905; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of isv.exe_rsaenh.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\isv.exe_rsaenh.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/isv.exe_rsaenh.html; classtype:suspicious-command; sid:5009971; metadata: created_on 2022_11_22, old_sid 5007906; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of iumbase.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\iumbase.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/iumbase.html; classtype:suspicious-command; sid:5009972; metadata: created_on 2022_11_22, old_sid 5007907; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of iumsdk.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\iumsdk.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/iumsdk.html; classtype:suspicious-command; sid:5009973; metadata: created_on 2022_11_22, old_sid 5007908; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of joinutil.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\joinutil.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/joinutil.html; classtype:suspicious-command; sid:5009974; metadata: created_on 2022_11_22, old_sid 5007909; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of kdstub.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\kdstub.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/kdstub.html; classtype:suspicious-command; sid:5009975; metadata: created_on 2022_11_22, old_sid 5007910; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ksuser.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ksuser.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ksuser.html; classtype:suspicious-command; sid:5009976; metadata: created_on 2022_11_22, old_sid 5007911; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ktmw32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ktmw32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ktmw32.html; classtype:suspicious-command; sid:5009977; metadata: created_on 2022_11_22, old_sid 5007912; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of licensemanagerapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\licensemanagerapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/licensemanagerapi.html; classtype:suspicious-command; sid:5009978; metadata: created_on 2022_11_22, old_sid 5007913; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of licensingdiagspp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\licensingdiagspp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/licensingdiagspp.html; classtype:suspicious-command; sid:5009979; metadata: created_on 2022_11_22, old_sid 5007914; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of linkinfo.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\linkinfo.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/linkinfo.html; classtype:suspicious-command; sid:5009980; metadata: created_on 2022_11_22, old_sid 5007915; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of loadperf.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\loadperf.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/loadperf.html; classtype:suspicious-command; sid:5009981; metadata: created_on 2022_11_22, old_sid 5007916; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of lockhostingframework.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\lockhostingframework.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/lockhostingframework.html; classtype:suspicious-command; sid:5009982; metadata: created_on 2022_11_22, old_sid 5007917; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of logoncli.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\logoncli.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/logoncli.html; classtype:suspicious-command; sid:5009983; metadata: created_on 2022_11_22, old_sid 5007918; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of logoncontroller.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\logoncontroller.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/logoncontroller.html; classtype:suspicious-command; sid:5009984; metadata: created_on 2022_11_22, old_sid 5007919; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of lpksetupproxyserv.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\lpksetupproxyserv.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/lpksetupproxyserv.html; classtype:suspicious-command; sid:5009985; metadata: created_on 2022_11_22, old_sid 5007920; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of lrwizdll.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\lrwizdll.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/lrwizdll.html; classtype:suspicious-command; sid:5009986; metadata: created_on 2022_11_22, old_sid 5007921; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of magnification.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\magnification.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/magnification.html; classtype:suspicious-command; sid:5009987; metadata: created_on 2022_11_22, old_sid 5007922; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of maintenanceui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\maintenanceui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/maintenanceui.html; classtype:suspicious-command; sid:5009988; metadata: created_on 2022_11_22, old_sid 5007923; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mapistub.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mapistub.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mapistub.html; classtype:suspicious-command; sid:5009989; metadata: created_on 2022_11_22, old_sid 5007924; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mbaexmlparser.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\mbaexmlparser.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mbaexmlparser.html; classtype:suspicious-command; sid:5009990; metadata: created_on 2022_11_22, old_sid 5007925; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mdmdiagnostics.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\mdmdiagnostics.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mdmdiagnostics.html; classtype:suspicious-command; sid:5009991; metadata: created_on 2022_11_22, old_sid 5007926; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mfc42u.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mfc42u.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mfc42u.html; classtype:suspicious-command; sid:5009992; metadata: created_on 2022_11_22, old_sid 5007927; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mfcore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mfcore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mfcore.html; classtype:suspicious-command; sid:5009993; metadata: created_on 2022_11_22, old_sid 5007928; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mfplat.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mfplat.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mfplat.html; classtype:suspicious-command; sid:5009994; metadata: created_on 2022_11_22, old_sid 5007929; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mi.html; classtype:suspicious-command; sid:5009995; metadata: created_on 2022_11_22, old_sid 5007930; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of midimap.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\midimap.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/midimap.html; classtype:suspicious-command; sid:5009996; metadata: created_on 2022_11_22, old_sid 5007931; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mintdh.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\mintdh.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mintdh.html; classtype:suspicious-command; sid:5009997; metadata: created_on 2022_11_22, old_sid 5007932; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of miutils.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\miutils.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/miutils.html; classtype:suspicious-command; sid:5009998; metadata: created_on 2022_11_22, old_sid 5007933; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mlang.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mlang.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mlang.html; classtype:suspicious-command; sid:5009999; metadata: created_on 2022_11_22, old_sid 5007934; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mmdevapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mmdevapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mmdevapi.html; classtype:suspicious-command; sid:5010000; metadata: created_on 2022_11_22, old_sid 5007935; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mobilenetworking.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mobilenetworking.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mobilenetworking.html; classtype:suspicious-command; sid:5010001; metadata: created_on 2022_11_22, old_sid 5007936; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mpclient.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\Windows Defender\\,c:\\program files (x86)\\Windows Defender\\,c:\\programdata\\Microsoft\\Windows Defender\\Platform\\*\; meta_nocase; content:"\\mpclient.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mpclient.html; classtype:suspicious-command; sid:5010002; metadata: created_on 2022_11_22, old_sid 5007937; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mpr.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mpr.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mpr.html; classtype:suspicious-command; sid:5010003; metadata: created_on 2022_11_22, old_sid 5007938; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mprapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mprapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mprapi.html; classtype:suspicious-command; sid:5010004; metadata: created_on 2022_11_22, old_sid 5007939; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mpsvc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\programdata\\Microsoft\\Windows Defender\\Platform\\*\"; nocase; content:"\\mpsvc.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mpsvc.html; classtype:suspicious-command; sid:5010005; metadata: created_on 2022_11_22, old_sid 5007940; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mrmcorer.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mrmcorer.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mrmcorer.html; classtype:suspicious-command; sid:5010006; metadata: created_on 2022_11_22, old_sid 5007941; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of msacm32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\msacm32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/msacm32.html; classtype:suspicious-command; sid:5010007; metadata: created_on 2022_11_22, old_sid 5007942; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mscms.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mscms.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mscms.html; classtype:suspicious-command; sid:5010008; metadata: created_on 2022_11_22, old_sid 5007943; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mscoree.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mscoree.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mscoree.html; classtype:suspicious-command; sid:5010009; metadata: created_on 2022_11_22, old_sid 5007944; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of msctf.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\msctf.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/msctf.html; classtype:suspicious-command; sid:5010010; metadata: created_on 2022_11_22, old_sid 5007945; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of msctfmonitor.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\msctfmonitor.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/msctfmonitor.html; classtype:suspicious-command; sid:5010011; metadata: created_on 2022_11_22, old_sid 5007946; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of msdrm.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\msdrm.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/msdrm.html; classtype:suspicious-command; sid:5010012; metadata: created_on 2022_11_22, old_sid 5007947; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of msdtctm.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\msdtctm.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/msdtctm.html; classtype:suspicious-command; sid:5010013; metadata: created_on 2022_11_22, old_sid 5007948; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of msftedit.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\msftedit.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/msftedit.html; classtype:suspicious-command; sid:5010014; metadata: created_on 2022_11_22, old_sid 5007949; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of msi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\msi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/msi.html; classtype:suspicious-command; sid:5010015; metadata: created_on 2022_11_22, old_sid 5007950; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of msiso.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\msiso.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/msiso.html; classtype:suspicious-command; sid:5010016; metadata: created_on 2022_11_22, old_sid 5007951; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mstracer.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:"\\mstracer.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mstracer.html; classtype:suspicious-command; sid:5010017; metadata: created_on 2022_11_22, old_sid 5007952; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of msutb.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\msutb.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/msutb.html; classtype:suspicious-command; sid:5010018; metadata: created_on 2022_11_22, old_sid 5007953; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of msvcp110_win.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\msvcp110_win.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/msvcp110_win.html; classtype:suspicious-command; sid:5010019; metadata: created_on 2022_11_22, old_sid 5007954; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mswb7.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mswb7.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mswb7.html; classtype:suspicious-command; sid:5010020; metadata: created_on 2022_11_22, old_sid 5007955; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mswsock.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mswsock.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mswsock.html; classtype:suspicious-command; sid:5010021; metadata: created_on 2022_11_22, old_sid 5007956; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of msxml3.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\msxml3.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/msxml3.html; classtype:suspicious-command; sid:5010022; metadata: created_on 2022_11_22, old_sid 5007957; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of mtxclu.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\mtxclu.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/mtxclu.html; classtype:suspicious-command; sid:5010023; metadata: created_on 2022_11_22, old_sid 5007958; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of napinsp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\napinsp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/napinsp.html; classtype:suspicious-command; sid:5010024; metadata: created_on 2022_11_22, old_sid 5007959; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ncrypt.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ncrypt.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ncrypt.html; classtype:suspicious-command; sid:5010025; metadata: created_on 2022_11_22, old_sid 5007960; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ndfapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ndfapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ndfapi.html; classtype:suspicious-command; sid:5010026; metadata: created_on 2022_11_22, old_sid 5007961; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of netapi32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\netapi32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/netapi32.html; classtype:suspicious-command; sid:5010027; metadata: created_on 2022_11_22, old_sid 5007962; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of netid.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\netid.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/netid.html; classtype:suspicious-command; sid:5010028; metadata: created_on 2022_11_22, old_sid 5007963; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of netiohlp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\netiohlp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/netiohlp.html; classtype:suspicious-command; sid:5010029; metadata: created_on 2022_11_22, old_sid 5007964; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of netjoin.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\netjoin.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/netjoin.html; classtype:suspicious-command; sid:5010030; metadata: created_on 2022_11_22, old_sid 5007965; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of netplwiz.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\netplwiz.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/netplwiz.html; classtype:suspicious-command; sid:5010031; metadata: created_on 2022_11_22, old_sid 5007966; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of netprofm.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\netprofm.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/netprofm.html; classtype:suspicious-command; sid:5010032; metadata: created_on 2022_11_22, old_sid 5007967; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of netprovfw.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\netprovfw.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/netprovfw.html; classtype:suspicious-command; sid:5010033; metadata: created_on 2022_11_22, old_sid 5007968; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of netsetupapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\netsetupapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/netsetupapi.html; classtype:suspicious-command; sid:5010034; metadata: created_on 2022_11_22, old_sid 5007969; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of netshell.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\netshell.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/netshell.html; classtype:suspicious-command; sid:5010035; metadata: created_on 2022_11_22, old_sid 5007970; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of nettrace.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\nettrace.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/nettrace.html; classtype:suspicious-command; sid:5010036; metadata: created_on 2022_11_22, old_sid 5007971; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of netutils.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\netutils.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/netutils.html; classtype:suspicious-command; sid:5010037; metadata: created_on 2022_11_22, old_sid 5007972; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of networkexplorer.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\networkexplorer.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/networkexplorer.html; classtype:suspicious-command; sid:5010038; metadata: created_on 2022_11_22, old_sid 5007973; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of newdev.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\newdev.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/newdev.html; classtype:suspicious-command; sid:5010039; metadata: created_on 2022_11_22, old_sid 5007974; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ninput.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ninput.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ninput.html; classtype:suspicious-command; sid:5010040; metadata: created_on 2022_11_22, old_sid 5007975; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of nlaapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\nlaapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/nlaapi.html; classtype:suspicious-command; sid:5010041; metadata: created_on 2022_11_22, old_sid 5007976; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of nlansp_c.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\nlansp_c.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/nlansp_c.html; classtype:suspicious-command; sid:5010042; metadata: created_on 2022_11_22, old_sid 5007977; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of npmproxy.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\npmproxy.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/npmproxy.html; classtype:suspicious-command; sid:5010043; metadata: created_on 2022_11_22, old_sid 5007978; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of nshhttp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\nshhttp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/nshhttp.html; classtype:suspicious-command; sid:5010044; metadata: created_on 2022_11_22, old_sid 5007979; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of nshipsec.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\nshipsec.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/nshipsec.html; classtype:suspicious-command; sid:5010045; metadata: created_on 2022_11_22, old_sid 5007980; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of nshwfp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\nshwfp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/nshwfp.html; classtype:suspicious-command; sid:5010046; metadata: created_on 2022_11_22, old_sid 5007981; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ntdsapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ntdsapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ntdsapi.html; classtype:suspicious-command; sid:5010047; metadata: created_on 2022_11_22, old_sid 5007982; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ntlanman.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ntlanman.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ntlanman.html; classtype:suspicious-command; sid:5010048; metadata: created_on 2022_11_22, old_sid 5007983; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ntlmshared.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ntlmshared.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ntlmshared.html; classtype:suspicious-command; sid:5010049; metadata: created_on 2022_11_22, old_sid 5007984; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ntmarta.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ntmarta.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ntmarta.html; classtype:suspicious-command; sid:5010050; metadata: created_on 2022_11_22, old_sid 5007985; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ntshrui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ntshrui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ntshrui.html; classtype:suspicious-command; sid:5010051; metadata: created_on 2022_11_22, old_sid 5007986; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of oci.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:"\\oci.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/oci.html; classtype:suspicious-command; sid:5010052; metadata: created_on 2022_11_22, old_sid 5007987; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of oleacc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\oleacc.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/oleacc.html; classtype:suspicious-command; sid:5010053; metadata: created_on 2022_11_22, old_sid 5007988; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of omadmapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\omadmapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/omadmapi.html; classtype:suspicious-command; sid:5010054; metadata: created_on 2022_11_22, old_sid 5007989; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of onex.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\onex.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/onex.html; classtype:suspicious-command; sid:5010055; metadata: created_on 2022_11_22, old_sid 5007990; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of opcservices.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\opcservices.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/opcservices.html; classtype:suspicious-command; sid:5010056; metadata: created_on 2022_11_22, old_sid 5007991; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of osbaseln.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\osbaseln.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/osbaseln.html; classtype:suspicious-command; sid:5010057; metadata: created_on 2022_11_22, old_sid 5007992; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of osksupport.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\osksupport.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/osksupport.html; classtype:suspicious-command; sid:5010058; metadata: created_on 2022_11_22, old_sid 5007993; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of osuninst.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\osuninst.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/osuninst.html; classtype:suspicious-command; sid:5010059; metadata: created_on 2022_11_22, old_sid 5007994; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of p2p.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\p2p.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/p2p.html; classtype:suspicious-command; sid:5010060; metadata: created_on 2022_11_22, old_sid 5007995; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of p2pnetsh.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\p2pnetsh.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/p2pnetsh.html; classtype:suspicious-command; sid:5010061; metadata: created_on 2022_11_22, old_sid 5007996; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of p9np.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\p9np.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/p9np.html; classtype:suspicious-command; sid:5010062; metadata: created_on 2022_11_22, old_sid 5007997; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of pcaui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\pcaui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/pcaui.html; classtype:suspicious-command; sid:5010063; metadata: created_on 2022_11_22, old_sid 5007998; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of pdh.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\pdh.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/pdh.html; classtype:suspicious-command; sid:5010064; metadata: created_on 2022_11_22, old_sid 5007999; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of peerdistsh.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\peerdistsh.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/peerdistsh.html; classtype:suspicious-command; sid:5010065; metadata: created_on 2022_11_22, old_sid 5008000; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of pkeyhelper.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\pkeyhelper.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/pkeyhelper.html; classtype:suspicious-command; sid:5010066; metadata: created_on 2022_11_22, old_sid 5008001; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of pla.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\pla.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/pla.html; classtype:suspicious-command; sid:5010067; metadata: created_on 2022_11_22, old_sid 5008002; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of playsndsrv.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\playsndsrv.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/playsndsrv.html; classtype:suspicious-command; sid:5010068; metadata: created_on 2022_11_22, old_sid 5008003; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of pnrpnsp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\pnrpnsp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/pnrpnsp.html; classtype:suspicious-command; sid:5010069; metadata: created_on 2022_11_22, old_sid 5008004; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of policymanager.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\policymanager.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/policymanager.html; classtype:suspicious-command; sid:5010070; metadata: created_on 2022_11_22, old_sid 5008005; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of polstore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\polstore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/polstore.html; classtype:suspicious-command; sid:5010071; metadata: created_on 2022_11_22, old_sid 5008006; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of powrprof.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\powrprof.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/powrprof.html; classtype:suspicious-command; sid:5010072; metadata: created_on 2022_11_22, old_sid 5008007; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of printui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\printui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/printui.html; classtype:suspicious-command; sid:5010073; metadata: created_on 2022_11_22, old_sid 5008008; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of prntvpt.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\prntvpt.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/prntvpt.html; classtype:suspicious-command; sid:5010074; metadata: created_on 2022_11_22, old_sid 5008009; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of profapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\profapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/profapi.html; classtype:suspicious-command; sid:5010075; metadata: created_on 2022_11_22, old_sid 5008010; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of propsys.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\propsys.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/propsys.html; classtype:suspicious-command; sid:5010076; metadata: created_on 2022_11_22, old_sid 5008011; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of proximitycommon.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\proximitycommon.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/proximitycommon.html; classtype:suspicious-command; sid:5010077; metadata: created_on 2022_11_22, old_sid 5008012; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of proximityservicepal.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\proximityservicepal.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/proximityservicepal.html; classtype:suspicious-command; sid:5010078; metadata: created_on 2022_11_22, old_sid 5008013; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of prvdmofcomp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\prvdmofcomp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/prvdmofcomp.html; classtype:suspicious-command; sid:5010079; metadata: created_on 2022_11_22, old_sid 5008014; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of puiapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\puiapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/puiapi.html; classtype:suspicious-command; sid:5010080; metadata: created_on 2022_11_22, old_sid 5008015; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of radcui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\radcui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/radcui.html; classtype:suspicious-command; sid:5010081; metadata: created_on 2022_11_22, old_sid 5008016; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of rasapi32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\rasapi32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/rasapi32.html; classtype:suspicious-command; sid:5010082; metadata: created_on 2022_11_22, old_sid 5008017; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of rasdlg.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\rasdlg.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/rasdlg.html; classtype:suspicious-command; sid:5010083; metadata: created_on 2022_11_22, old_sid 5008018; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of rasgcw.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\rasgcw.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/rasgcw.html; classtype:suspicious-command; sid:5010084; metadata: created_on 2022_11_22, old_sid 5008019; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of rasman.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\rasman.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/rasman.html; classtype:suspicious-command; sid:5010085; metadata: created_on 2022_11_22, old_sid 5008020; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of rasmontr.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\rasmontr.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/rasmontr.html; classtype:suspicious-command; sid:5010086; metadata: created_on 2022_11_22, old_sid 5008021; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of reagent.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\reagent.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/reagent.html; classtype:suspicious-command; sid:5010087; metadata: created_on 2022_11_22, old_sid 5008022; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of regapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\regapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/regapi.html; classtype:suspicious-command; sid:5010088; metadata: created_on 2022_11_22, old_sid 5008023; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of reseteng.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\reseteng.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/reseteng.html; classtype:suspicious-command; sid:5010089; metadata: created_on 2022_11_22, old_sid 5008024; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of resetengine.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\resetengine.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/resetengine.html; classtype:suspicious-command; sid:5010090; metadata: created_on 2022_11_22, old_sid 5008025; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of resutils.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\resutils.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/resutils.html; classtype:suspicious-command; sid:5010091; metadata: created_on 2022_11_22, old_sid 5008026; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of rmclient.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\rmclient.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/rmclient.html; classtype:suspicious-command; sid:5010092; metadata: created_on 2022_11_22, old_sid 5008027; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of rpcnsh.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\rpcnsh.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/rpcnsh.html; classtype:suspicious-command; sid:5010093; metadata: created_on 2022_11_22, old_sid 5008028; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of rsaenh.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\rsaenh.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/rsaenh.html; classtype:suspicious-command; sid:5010094; metadata: created_on 2022_11_22, old_sid 5008029; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of rtutils.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\rtutils.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/rtutils.html; classtype:suspicious-command; sid:5010095; metadata: created_on 2022_11_22, old_sid 5008030; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of rtworkq.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\rtworkq.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/rtworkq.html; classtype:suspicious-command; sid:5010096; metadata: created_on 2022_11_22, old_sid 5008031; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of samcli.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\samcli.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/samcli.html; classtype:suspicious-command; sid:5010097; metadata: created_on 2022_11_22, old_sid 5008032; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of samlib.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\samlib.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/samlib.html; classtype:suspicious-command; sid:5010098; metadata: created_on 2022_11_22, old_sid 5008033; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of sapi_onecore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\sapi_onecore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/sapi_onecore.html; classtype:suspicious-command; sid:5010099; metadata: created_on 2022_11_22, old_sid 5008034; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of sas.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\sas.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/sas.html; classtype:suspicious-command; sid:5010100; metadata: created_on 2022_11_22, old_sid 5008035; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of scansetting.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\scansetting.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/scansetting.html; classtype:suspicious-command; sid:5010101; metadata: created_on 2022_11_22, old_sid 5008036; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of scecli.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\scecli.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/scecli.html; classtype:suspicious-command; sid:5010102; metadata: created_on 2022_11_22, old_sid 5008037; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of schedcli.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\schedcli.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/schedcli.html; classtype:suspicious-command; sid:5010103; metadata: created_on 2022_11_22, old_sid 5008038; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of secur32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\secur32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/secur32.html; classtype:suspicious-command; sid:5010104; metadata: created_on 2022_11_22, old_sid 5008039; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of security.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\security.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/security.html; classtype:suspicious-command; sid:5010105; metadata: created_on 2022_11_22, old_sid 5008040; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of shell32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\shell32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/shell32.html; classtype:suspicious-command; sid:5010106; metadata: created_on 2022_11_22, old_sid 5008041; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of slc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\slc.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/slc.html; classtype:suspicious-command; sid:5010107; metadata: created_on 2022_11_22, old_sid 5008042; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of snmpapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\snmpapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/snmpapi.html; classtype:suspicious-command; sid:5010108; metadata: created_on 2022_11_22, old_sid 5008043; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of spectrumsyncclient.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\spectrumsyncclient.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/spectrumsyncclient.html; classtype:suspicious-command; sid:5010109; metadata: created_on 2022_11_22, old_sid 5008044; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of spp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\spp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/spp.html; classtype:suspicious-command; sid:5010110; metadata: created_on 2022_11_22, old_sid 5008045; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of sppc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\sppc.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/sppc.html; classtype:suspicious-command; sid:5010111; metadata: created_on 2022_11_22, old_sid 5008046; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of sppcext.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\sppcext.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/sppcext.html; classtype:suspicious-command; sid:5010112; metadata: created_on 2022_11_22, old_sid 5008047; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of srclient.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\srclient.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/srclient.html; classtype:suspicious-command; sid:5010113; metadata: created_on 2022_11_22, old_sid 5008048; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of srcore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\srcore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/srcore.html; classtype:suspicious-command; sid:5010114; metadata: created_on 2022_11_22, old_sid 5008049; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of srmtrace.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\srmtrace.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/srmtrace.html; classtype:suspicious-command; sid:5010115; metadata: created_on 2022_11_22, old_sid 5008050; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of srpapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\srpapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/srpapi.html; classtype:suspicious-command; sid:5010116; metadata: created_on 2022_11_22, old_sid 5008051; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of srvcli.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\srvcli.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/srvcli.html; classtype:suspicious-command; sid:5010117; metadata: created_on 2022_11_22, old_sid 5008052; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ssp.exe_rsaenh.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ssp.exe_rsaenh.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ssp.exe_rsaenh.html; classtype:suspicious-command; sid:5010118; metadata: created_on 2022_11_22, old_sid 5008053; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ssp_isv.exe_rsaenh.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ssp_isv.exe_rsaenh.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ssp_isv.exe_rsaenh.html; classtype:suspicious-command; sid:5010119; metadata: created_on 2022_11_22, old_sid 5008054; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of sspicli.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\sspicli.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/sspicli.html; classtype:suspicious-command; sid:5010120; metadata: created_on 2022_11_22, old_sid 5008055; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ssshim.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ssshim.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ssshim.html; classtype:suspicious-command; sid:5010121; metadata: created_on 2022_11_22, old_sid 5008056; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of staterepository.core.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\staterepository.core.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/staterepository.core.html; classtype:suspicious-command; sid:5010122; metadata: created_on 2022_11_22, old_sid 5008057; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of structuredquery.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\structuredquery.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/structuredquery.html; classtype:suspicious-command; sid:5010123; metadata: created_on 2022_11_22, old_sid 5008058; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of sxshared.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\sxshared.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/sxshared.html; classtype:suspicious-command; sid:5010124; metadata: created_on 2022_11_22, old_sid 5008059; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of systemsettingsthresholdadminflowui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\systemsettingsthresholdadminflowui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/systemsettingsthresholdadminflowui.html; classtype:suspicious-command; sid:5010125; metadata: created_on 2022_11_22, old_sid 5008060; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of tapi32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\tapi32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/tapi32.html; classtype:suspicious-command; sid:5010126; metadata: created_on 2022_11_22, old_sid 5008061; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of tbs.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\tbs.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/tbs.html; classtype:suspicious-command; sid:5010127; metadata: created_on 2022_11_22, old_sid 5008062; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of tdh.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\tdh.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/tdh.html; classtype:suspicious-command; sid:5010128; metadata: created_on 2022_11_22, old_sid 5008063; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of timesync.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\timesync.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/timesync.html; classtype:suspicious-command; sid:5010129; metadata: created_on 2022_11_22, old_sid 5008064; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of tpmcoreprovisioning.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\tpmcoreprovisioning.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/tpmcoreprovisioning.html; classtype:suspicious-command; sid:5010130; metadata: created_on 2022_11_22, old_sid 5008065; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of tquery.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\tquery.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/tquery.html; classtype:suspicious-command; sid:5010131; metadata: created_on 2022_11_22, old_sid 5008066; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of tsworkspace.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\tsworkspace.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/tsworkspace.html; classtype:suspicious-command; sid:5010132; metadata: created_on 2022_11_22, old_sid 5008067; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of ttdrecord.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\ttdrecord.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/ttdrecord.html; classtype:suspicious-command; sid:5010133; metadata: created_on 2022_11_22, old_sid 5008068; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of twext.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\twext.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/twext.html; classtype:suspicious-command; sid:5010134; metadata: created_on 2022_11_22, old_sid 5008069; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of twinapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\twinapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/twinapi.html; classtype:suspicious-command; sid:5010135; metadata: created_on 2022_11_22, old_sid 5008070; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of twinui.appcore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\twinui.appcore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/twinui.appcore.html; classtype:suspicious-command; sid:5010136; metadata: created_on 2022_11_22, old_sid 5008071; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of uianimation.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\uianimation.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/uianimation.html; classtype:suspicious-command; sid:5010137; metadata: created_on 2022_11_22, old_sid 5008072; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of uiautomationcore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\uiautomationcore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/uiautomationcore.html; classtype:suspicious-command; sid:5010138; metadata: created_on 2022_11_22, old_sid 5008073; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of uireng.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\uireng.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/uireng.html; classtype:suspicious-command; sid:5010139; metadata: created_on 2022_11_22, old_sid 5008074; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of uiribbon.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\uiribbon.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/uiribbon.html; classtype:suspicious-command; sid:5010140; metadata: created_on 2022_11_22, old_sid 5008075; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of umpdc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\umpdc.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/umpdc.html; classtype:suspicious-command; sid:5010141; metadata: created_on 2022_11_22, old_sid 5008076; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of unattend.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\unattend.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/unattend.html; classtype:suspicious-command; sid:5010142; metadata: created_on 2022_11_22, old_sid 5008077; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of updatepolicy.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\updatepolicy.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/updatepolicy.html; classtype:suspicious-command; sid:5010143; metadata: created_on 2022_11_22, old_sid 5008078; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of upshared.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\upshared.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/upshared.html; classtype:suspicious-command; sid:5010144; metadata: created_on 2022_11_22, old_sid 5008079; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of urlmon.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\urlmon.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/urlmon.html; classtype:suspicious-command; sid:5010145; metadata: created_on 2022_11_22, old_sid 5008080; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of userenv.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\userenv.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/userenv.html; classtype:suspicious-command; sid:5010146; metadata: created_on 2022_11_22, old_sid 5008081; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of utildll.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\utildll.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/utildll.html; classtype:suspicious-command; sid:5010147; metadata: created_on 2022_11_22, old_sid 5008082; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of uxinit.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\uxinit.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/uxinit.html; classtype:suspicious-command; sid:5010148; metadata: created_on 2022_11_22, old_sid 5008083; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of uxtheme.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\uxtheme.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/uxtheme.html; classtype:suspicious-command; sid:5010149; metadata: created_on 2022_11_22, old_sid 5008084; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of vaultcli.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\vaultcli.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/vaultcli.html; classtype:suspicious-command; sid:5010150; metadata: created_on 2022_11_22, old_sid 5008085; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of vdsutil.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\vdsutil.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/vdsutil.html; classtype:suspicious-command; sid:5010151; metadata: created_on 2022_11_22, old_sid 5008086; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of version.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\version.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/version.html; classtype:suspicious-command; sid:5010152; metadata: created_on 2022_11_22, old_sid 5008087; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of virtdisk.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\virtdisk.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/virtdisk.html; classtype:suspicious-command; sid:5010153; metadata: created_on 2022_11_22, old_sid 5008088; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of vssapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\vssapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/vssapi.html; classtype:suspicious-command; sid:5010154; metadata: created_on 2022_11_22, old_sid 5008089; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of vsstrace.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\vsstrace.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/vsstrace.html; classtype:suspicious-command; sid:5010155; metadata: created_on 2022_11_22, old_sid 5008090; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wbemprox.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\wbem\\,c:\\windows\\syswow64\\wbem\\; meta_nocase; content:"\\wbemprox.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wbemprox.html; classtype:suspicious-command; sid:5010156; metadata: created_on 2022_11_22, old_sid 5008091; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wbemsvc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\wbem\\,c:\\windows\\syswow64\\wbem\\; meta_nocase; content:"\\wbemsvc.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wbemsvc.html; classtype:suspicious-command; sid:5010157; metadata: created_on 2022_11_22, old_sid 5008092; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wcmapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wcmapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wcmapi.html; classtype:suspicious-command; sid:5010158; metadata: created_on 2022_11_22, old_sid 5008093; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wcnnetsh.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\wcnnetsh.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wcnnetsh.html; classtype:suspicious-command; sid:5010159; metadata: created_on 2022_11_22, old_sid 5008094; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wdi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wdi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wdi.html; classtype:suspicious-command; sid:5010160; metadata: created_on 2022_11_22, old_sid 5008095; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wdscore.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wdscore.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wdscore.html; classtype:suspicious-command; sid:5010161; metadata: created_on 2022_11_22, old_sid 5008096; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of webservices.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\webservices.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/webservices.html; classtype:suspicious-command; sid:5010162; metadata: created_on 2022_11_22, old_sid 5008097; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wecapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wecapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wecapi.html; classtype:suspicious-command; sid:5010163; metadata: created_on 2022_11_22, old_sid 5008098; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wer.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wer.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wer.html; classtype:suspicious-command; sid:5010164; metadata: created_on 2022_11_22, old_sid 5008099; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wevtapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wevtapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wevtapi.html; classtype:suspicious-command; sid:5010165; metadata: created_on 2022_11_22, old_sid 5008100; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of whhelper.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\whhelper.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/whhelper.html; classtype:suspicious-command; sid:5010166; metadata: created_on 2022_11_22, old_sid 5008101; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wimgapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wimgapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wimgapi.html; classtype:suspicious-command; sid:5010167; metadata: created_on 2022_11_22, old_sid 5008102; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winbio.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\winbio.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winbio.html; classtype:suspicious-command; sid:5010168; metadata: created_on 2022_11_22, old_sid 5008103; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winbrand.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\winbrand.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winbrand.html; classtype:suspicious-command; sid:5010169; metadata: created_on 2022_11_22, old_sid 5008104; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of windows.storage.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\windows.storage.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/windows.storage.html; classtype:suspicious-command; sid:5010170; metadata: created_on 2022_11_22, old_sid 5008105; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of windows.storage.search.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\windows.storage.search.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/windows.storage.search.html; classtype:suspicious-command; sid:5010171; metadata: created_on 2022_11_22, old_sid 5008106; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of windows.ui.immersive.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\windows.ui.immersive.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/windows.ui.immersive.html; classtype:suspicious-command; sid:5010172; metadata: created_on 2022_11_22, old_sid 5008107; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of windowscodecs.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\windowscodecs.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/windowscodecs.html; classtype:suspicious-command; sid:5010173; metadata: created_on 2022_11_22, old_sid 5008108; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of windowscodecsext.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\windowscodecsext.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/windowscodecsext.html; classtype:suspicious-command; sid:5010174; metadata: created_on 2022_11_22, old_sid 5008109; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of windowsperformancerecordercontrol.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\windows kits\\10\\windows performance toolkit\\,c:\\program files (x86)\\windows kits\\10\\windows performance toolkit\\,c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\windowsperformancerecordercontrol.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/windowsperformancerecordercontrol.html; classtype:suspicious-command; sid:5010175; metadata: created_on 2022_11_22, old_sid 5008110; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of windowsudk.shellcommon.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\windowsudk.shellcommon.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/windowsudk.shellcommon.html; classtype:suspicious-command; sid:5010176; metadata: created_on 2022_11_22, old_sid 5008111; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winhttp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\winhttp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winhttp.html; classtype:suspicious-command; sid:5010177; metadata: created_on 2022_11_22, old_sid 5008112; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wininet.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wininet.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wininet.html; classtype:suspicious-command; sid:5010178; metadata: created_on 2022_11_22, old_sid 5008113; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winipsec.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\winipsec.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winipsec.html; classtype:suspicious-command; sid:5010179; metadata: created_on 2022_11_22, old_sid 5008114; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winmde.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\winmde.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winmde.html; classtype:suspicious-command; sid:5010180; metadata: created_on 2022_11_22, old_sid 5008115; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winmm.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\winmm.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winmm.html; classtype:suspicious-command; sid:5010181; metadata: created_on 2022_11_22, old_sid 5008116; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winnsi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\winnsi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winnsi.html; classtype:suspicious-command; sid:5010182; metadata: created_on 2022_11_22, old_sid 5008117; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winrnr.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\winrnr.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winrnr.html; classtype:suspicious-command; sid:5010183; metadata: created_on 2022_11_22, old_sid 5008118; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winscard.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\winscard.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winscard.html; classtype:suspicious-command; sid:5010184; metadata: created_on 2022_11_22, old_sid 5008119; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winsqlite3.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\winsqlite3.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winsqlite3.html; classtype:suspicious-command; sid:5010185; metadata: created_on 2022_11_22, old_sid 5008120; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winsta.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\winsta.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winsta.html; classtype:suspicious-command; sid:5010186; metadata: created_on 2022_11_22, old_sid 5008121; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of winsync.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\winsync.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/winsync.html; classtype:suspicious-command; sid:5010187; metadata: created_on 2022_11_22, old_sid 5008122; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wkscli.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wkscli.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wkscli.html; classtype:suspicious-command; sid:5010188; metadata: created_on 2022_11_22, old_sid 5008123; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wlanapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wlanapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wlanapi.html; classtype:suspicious-command; sid:5010189; metadata: created_on 2022_11_22, old_sid 5008124; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wlancfg.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wlancfg.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wlancfg.html; classtype:suspicious-command; sid:5010190; metadata: created_on 2022_11_22, old_sid 5008125; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wlbsctrl.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:"\\wlbsctrl.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wlbsctrl.html; classtype:suspicious-command; sid:5010191; metadata: created_on 2022_11_22, old_sid 5008126; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wldp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wldp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wldp.html; classtype:suspicious-command; sid:5010192; metadata: created_on 2022_11_22, old_sid 5008127; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wlidprov.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wlidprov.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wlidprov.html; classtype:suspicious-command; sid:5010193; metadata: created_on 2022_11_22, old_sid 5008128; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wmiclnt.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wmiclnt.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wmiclnt.html; classtype:suspicious-command; sid:5010194; metadata: created_on 2022_11_22, old_sid 5008129; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wmidcom.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wmidcom.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wmidcom.html; classtype:suspicious-command; sid:5010195; metadata: created_on 2022_11_22, old_sid 5008130; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wmiutils.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wmiutils.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wmiutils.html; classtype:suspicious-command; sid:5010196; metadata: created_on 2022_11_22, old_sid 5008131; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wmpdui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\wmpdui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wmpdui.html; classtype:suspicious-command; sid:5010197; metadata: created_on 2022_11_22, old_sid 5008132; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wmsgapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wmsgapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wmsgapi.html; classtype:suspicious-command; sid:5010198; metadata: created_on 2022_11_22, old_sid 5008133; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wofutil.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wofutil.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wofutil.html; classtype:suspicious-command; sid:5010199; metadata: created_on 2022_11_22, old_sid 5008134; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wpdshext.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wpdshext.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wpdshext.html; classtype:suspicious-command; sid:5010200; metadata: created_on 2022_11_22, old_sid 5008135; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wscapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wscapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wscapi.html; classtype:suspicious-command; sid:5010201; metadata: created_on 2022_11_22, old_sid 5008136; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wshbth.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wshbth.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wshbth.html; classtype:suspicious-command; sid:5010202; metadata: created_on 2022_11_22, old_sid 5008137; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wshelper.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wshelper.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wshelper.html; classtype:suspicious-command; sid:5010203; metadata: created_on 2022_11_22, old_sid 5008138; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wsmsvc.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wsmsvc.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wsmsvc.html; classtype:suspicious-command; sid:5010204; metadata: created_on 2022_11_22, old_sid 5008139; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wtsapi32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wtsapi32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wtsapi32.html; classtype:suspicious-command; sid:5010205; metadata: created_on 2022_11_22, old_sid 5008140; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wwancfg.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; content:!"c:\\windows\\system32\\"; nocase; content:"\\wwancfg.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wwancfg.html; classtype:suspicious-command; sid:5010206; metadata: created_on 2022_11_22, old_sid 5008141; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of wwapi.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\wwapi.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/wwapi.html; classtype:suspicious-command; sid:5010207; metadata: created_on 2022_11_22, old_sid 5008142; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of xmllite.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\xmllite.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/xmllite.html; classtype:suspicious-command; sid:5010208; metadata: created_on 2022_11_22, old_sid 5008143; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of xolehlp.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\xolehlp.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/xolehlp.html; classtype:suspicious-command; sid:5010209; metadata: created_on 2022_11_22, old_sid 5008144; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of xpsservices.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\xpsservices.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/xpsservices.html; classtype:suspicious-command; sid:5010210; metadata: created_on 2022_11_22, old_sid 5008145; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of xwizards.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\xwizards.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/xwizards.html; classtype:suspicious-command; sid:5010211; metadata: created_on 2022_11_22, old_sid 5008146; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of xwtpw32.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\xwtpw32.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/built-in/xwtpw32.html; classtype:suspicious-command; sid:5010212; metadata: created_on 2022_11_22, old_sid 5008147; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of aclui.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\; meta_nocase; content:"\\aclui.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/external/aclui.html; classtype:suspicious-command; sid:5010213; metadata: created_on 2022_11_22, old_sid 5008148; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of hha.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\windows\\system32\\,c:\\windows\\syswow64\\,c:\\program files\\HTML Help Workshop\\,c:\\program files (x86)\\HTML Help Workshop\\; meta_nocase; content:"\\hha.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/external/hha.html; classtype:suspicious-command; sid:5010214; metadata: created_on 2022_11_22, old_sid 5008149; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of iviewers.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\Windows Kits\\10\\bin\\,c:\\program files (x86)\\Windows Kits\\10\\bin\\,c:\\program files\\Windows Kits\\10\\bin\\,c:\\program files (x86)\\Windows Kits\\10\\bin\\,c:\\program files\\Windows Kits\\10\\bin\\,c:\\program files (x86)\\Windows Kits\\10\\bin\\; meta_nocase; content:"\\iviewers.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/external/iviewers.html; classtype:suspicious-command; sid:5010215; metadata: created_on 2022_11_22, old_sid 5008150; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible DLL Hijacking of outllib.dll"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:7; content:"ImageLoaded"; meta_content:!"%sagan%",c:\\program files\\Microsoft Office\\OFFICE,c:\\program files (x86)\\Microsoft Office\\OFFICE,c:\\program files\\Microsoft Office\\Root\\OFFICE,c:\\program files (x86)\\Microsoft Office\\Root\\OFFICE; meta_nocase; content:"\\outllib.dll"; nocase; reference:url,hijacklibs.net/entries/microsoft/external/outllib.html; classtype:suspicious-command; sid:5010216; metadata: created_on 2022_11_22, old_sid 5008151; rev:1;)
#2022-10-17 Bryant Smith
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] CMD executed from spool directory"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:1; content:"CurrentDirectory: c:\\windows\\system32\\spool\\drivers\\x64\\3\"; nocase; content:"CommandLine: cmd.exe"; nocase; classtype:suspicious-command;sid:5010217; metadata: created_on 2022_11_22, old_sid 5008345; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Rundll32 network connection detected"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:3; content:"Network connection detected"; content:"rundll32.exe"; nocase; meta_content:!"DestinationIp|3a| %sagan%",10.,192.168.,255.,127.; pcre:"/DestinationIp\\: (?!172\.(?:1[6-9]|2[0-9]|3[01])\.)/"; classtype:suspicious-command; sid:5010218; metadata: created_on 2022_11_22, old_sid 5008346; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible Traversal - File created in Public directory"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:11; content:"TargetFilename: C:\\Users\\Public"; nocase; sid:5010219; metadata: created_on 2022_11_22, old_sid 5008349; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible hidden service installed"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:13; content:"EventType: SetValue"; nocase; content:"TargetObject: HKLM\\System\\CurrentControlSet\\Services\\"; nocase; content:"rundll32"; nocase; content:!"CbDefense"; content:!"CbDisk"; content:!"ctinet"; content:!"ctifile"; content:!"UsoSvc"; content:!"TrustedInstaller"; content:!"CiscoOrbital"; sid:5010220; metadata: created_on 2022_11_22, old_sid 5008350; content:!"\\BITS\\"; reference:url,www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/; classtype:suspicious-command; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Process Injection - Rundll32 remote thread into winlogon"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:8; content:"SourceImage: C:\\Windows\\SysWOW64\\rundll32.exe"; nocase; content:"TargetImage: C:\\Windows\\System32\\winlogon.exe"; nocase; classtype:suspicious-command; sid:5010221; metadata: created_on 2022_11_22, old_sid 5008353; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Blackbasta wallpaper filename detected"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:12,13,14; content:"\\Desktop\\Wallpaper"; content:"dlaksjdoiwq.jpg"; reference:url,www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence; classtype:trojan-activity; sid:5010222; metadata: created_on 2022_11_22, old_sid 5008396; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Blackbasta default icon registry entry"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:12,13,14; content:"\.basta\\DefaultIcon"; reference:url,www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence; classtype:trojan-activity; sid:5010223; metadata: created_on 2022_11_22, old_sid 5008397; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Blackbasta default icon registry entry known filename"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:12,13,14; content:"\.basta\\DefaultIcon"; content:"fkdjsadasd.ico"; reference:url,www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence; classtype:trojan-activity; sid:5010224; metadata: created_on 2022_11_22, old_sid 5008398; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Safeboot Registry Entry - Possible Blackbasta"; program:*Sysmon*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:12,13,14; content:"\\CurrentControlSet\\Control\\SafeBoot\\Network\\Fax"; nocase; reference:url,www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence; classtype:trojan-activity; sid:5010225; metadata: created_on 2022_11_22, old_sid 5008399; rev:2;)