/usr/share/artifacts/windows_dll_hijacking.yaml is in forensic-artifacts 20161022-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 | name: DLLHijackLocations
doc: DLL search order hijacking locations collected from base Windows 7.
urls: ['https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html']
sources:
- type: FILE
attributes:
paths:
- '%%environ_windir%%\EXPLORERFRAME.dll'
- '%%environ_windir%%\DUser.dll'
- '%%environ_windir%%\DUI70.dll'
- '%%environ_windir%%\UxTheme.dll'
- '%%environ_windir%%\POWRPROF.dll'
- '%%environ_windir%%\dwmapi.dll'
- '%%environ_windir%%\slc.dll'
- '%%environ_windir%%\gdiplus.dll'
- '%%environ_windir%%\Secur32.dll'
- '%%environ_windir%%\SSPICLI.dll'
- '%%environ_windir%%\PROPSYS.dll'
- '%%environ_windir%%\WINSTA.dll'
- '%%environ_windir%%\CRYPTBASE.dll'
- '%%environ_windir%%\WindowsCodecs.dll'
- '%%environ_windir%%\profapi.dll'
- '%%environ_windir%%\apphelp.dll'
- '%%environ_windir%%\EhStorShell.dll'
- '%%environ_windir%%\cscui.dll'
- '%%environ_windir%%\CSCDLL.dll'
- '%%environ_windir%%\CSCAPI.dll'
- '%%environ_windir%%\ntshrui.dll'
- '%%environ_windir%%\srvcli.dll'
- '%%environ_windir%%\IconCodecService.dll'
- '%%environ_windir%%\CRYPTSP.dll'
- '%%environ_windir%%\rsaenh.dll'
- '%%environ_windir%%\RpcRtRemote.dll'
- '%%environ_windir%%\SndVolSSO.dll'
- '%%environ_windir%%\HID.dll'
- '%%environ_windir%%\MMDevApi.dll'
- '%%environ_windir%%\timedate.cpl'
- '%%environ_windir%%\ATL.dll'
- '%%environ_windir%%\actxprxy.dll'
- '%%environ_windir%%\ntmarta.dll'
- '%%environ_windir%%\shdocvw.dll'
- '%%environ_windir%%\LINKINFO.dll'
- '%%environ_windir%%\USERENV.dll'
- '%%environ_windir%%\shacct.dll'
- '%%environ_windir%%\gameux.dll'
- '%%environ_windir%%\XmlLite.dll'
- '%%environ_windir%%\wer.dll'
- '%%environ_windir%%\SAMLIB.dll'
- '%%environ_windir%%\msls31.dll'
- '%%environ_windir%%\tiptsf.dll'
- '%%environ_windir%%\authui.dll'
- '%%environ_windir%%\CRYPTUI.dll'
- '%%environ_windir%%\msiltcfg.dll'
- '%%environ_windir%%\VERSION.dll'
- '%%environ_windir%%\msi.dll'
- '%%environ_windir%%\NetworkExplorer.dll'
- '%%environ_windir%%\WINMM.dll'
- '%%environ_windir%%\wdmaud.drv'
- '%%environ_windir%%\ksuser.dll'
- '%%environ_windir%%\AVRT.dll'
- '%%environ_windir%%\AUDIOSES.dll'
- '%%environ_windir%%\msacm32.drv'
- '%%environ_windir%%\MSACM32.dll'
- '%%environ_windir%%\midimap.dll'
- '%%environ_windir%%\netutils.dll'
- '%%environ_windir%%\stobject.dll'
- '%%environ_windir%%\BatMeter.dll'
- '%%environ_windir%%\WTSAPI32.dll'
- '%%environ_windir%%\es.dll'
- '%%environ_windir%%\prnfldr.dll'
- '%%environ_windir%%\WINSPOOL.DRV'
- '%%environ_windir%%\dxp.dll'
- '%%environ_windir%%\Syncreg.dll'
- '%%environ_windir%%\netshell.dll'
- '%%environ_windir%%\IPHLPAPI.dll'
- '%%environ_windir%%\WINNSI.dll'
- '%%environ_windir%%\nlaapi.dll'
- '%%environ_windir%%\AltTab.dll'
- '%%environ_windir%%\pnidui.dll'
- '%%environ_windir%%\QUtil.dll'
- '%%environ_windir%%\wevtapi.dll'
- '%%environ_windir%%\dhcpcsvc6.dll'
- '%%environ_windir%%\dhcpcsvc.dll'
- '%%environ_windir%%\credssp.dll'
- '%%environ_windir%%\npmproxy.dll'
- '%%environ_windir%%\cscobj.dll'
- '%%environ_windir%%\Wlanapi.dll'
- '%%environ_windir%%\wlanutil.dll'
- '%%environ_windir%%\wwanapi.dll'
- '%%environ_windir%%\wwapi.dll'
- '%%environ_windir%%\QAgent.dll'
- '%%environ_windir%%\srchadmin.dll'
- '%%environ_windir%%\mssprxy.dll'
- '%%environ_windir%%\bthprops.cpl'
- '%%environ_windir%%\ieframe.dll'
- '%%environ_windir%%\OLEACC.dll'
- '%%environ_windir%%\SyncCenter.dll'
- '%%environ_windir%%\Actioncenter.dll'
- '%%environ_windir%%\imapi2.dll'
- '%%environ_windir%%\SXS.dll'
- '%%environ_windir%%\hgcpl.dll'
- '%%environ_windir%%\provsvc.dll'
- '%%environ_windir%%\wkscli.dll'
- '%%environ_windir%%\fxsst.dll'
- '%%environ_windir%%\FXSAPI.dll'
- '%%environ_windir%%\FXSRESM.dll'
- '%%environ_windir%%\ieproxy.dll'
- '%%environ_windir%%\thumbcache.dll'
- '%%environ_windir%%\rasadhlp.dll'
- '%%environ_windir%%\MPR.dll'
- '%%environ_windir%%\vmhgfs.dll'
- '%%environ_windir%%\drprov.dll'
- '%%environ_windir%%\ntlanman.dll'
- '%%environ_windir%%\davclnt.dll'
- '%%environ_windir%%\DAVHLPR.dll'
- '%%environ_windir%%\StructuredQuery.dll'
- '%%environ_windir%%\UIAnimation.dll'
- '%%environ_windir%%\DEVRTL.dll'
- '%%environ_windir%%\MLANG.dll'
- '%%environ_windir%%\wscinterop.dll'
- '%%environ_windir%%\WSCAPI.dll'
- '%%environ_windir%%\wscui.cpl'
- '%%environ_windir%%\werconcpl.dll'
- '%%environ_windir%%\framedynos.dll'
- '%%environ_windir%%\wercplsupport.dll'
- '%%environ_windir%%\msxml6.dll'
- '%%environ_windir%%\hcproviders.dll'
- '%%environ_windir%%\zipfldr.dll'
- '%%environ_windir%%\rarext.dll'
- '%%environ_windir%%\7-zip.dll'
- '%%environ_windir%%\twext.dll'
- '%%environ_windir%%\WinCDEmuContextMenu.dll'
- '%%environ_windir%%\syncui.dll'
- '%%environ_windir%%\SYNCENG.dll'
- '%%environ_windir%%\shlext010.dll'
- '%%environ_windir%%\ATL90.dll'
- '%%environ_windir%%\acppage.dll'
- '%%environ_windir%%\sfc.dll'
- '%%environ_windir%%\sfc_os.dll'
- '%%environ_windir%%\dsrole.dll'
- '%%environ_windir%%\ACLUI.dll'
- '%%environ_windir%%\NTDSAPI.dll'
- '%%environ_windir%%\PhotoBase.dll'
- '%%environ_windir%%\sbdrop.dll'
- '%%environ_windir%%\tquery.dll'
- '%%environ_windir%%\EhStorAPI.dll'
- '%%environ_windir%%\SearchFolder.dll'
- '%%environ_windir%%\NaturalLanguage6.dll'
- '%%environ_windir%%\NLSData0009.dll'
- '%%environ_windir%%\NLSLexicons0009.dll'
- '%%environ_windir%%\MsftEdit.dll'
- '%%environ_windir%%\dnsapi.dll'
- '%%environ_windir%%\RASAPI32.dll'
- '%%environ_windir%%\rasman.dll'
- '%%environ_windir%%\rtutils.dll'
- '%%environ_windir%%\sensapi.dll'
separator: '\'
supported_os: [Windows]
|