forensic-artifacts 20170808-1 / usr / share / artifacts / windows_dll_hijacking.yaml

This file is indexed.

/usr/share/artifacts/windows_dll_hijacking.yaml is in forensic-artifacts 20170808-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: DLLHijackLocations
doc: DLL search order hijacking locations collected from base Windows 7.
urls: ['https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html']
sources:
- type: FILE
  attributes:
    paths:
      - '%%environ_windir%%\EXPLORERFRAME.dll'
      - '%%environ_windir%%\DUser.dll'
      - '%%environ_windir%%\DUI70.dll'
      - '%%environ_windir%%\UxTheme.dll'
      - '%%environ_windir%%\POWRPROF.dll'
      - '%%environ_windir%%\dwmapi.dll'
      - '%%environ_windir%%\slc.dll'
      - '%%environ_windir%%\gdiplus.dll'
      - '%%environ_windir%%\Secur32.dll'
      - '%%environ_windir%%\SSPICLI.dll'
      - '%%environ_windir%%\PROPSYS.dll'
      - '%%environ_windir%%\WINSTA.dll'
      - '%%environ_windir%%\CRYPTBASE.dll'
      - '%%environ_windir%%\WindowsCodecs.dll'
      - '%%environ_windir%%\profapi.dll'
      - '%%environ_windir%%\apphelp.dll'
      - '%%environ_windir%%\EhStorShell.dll'
      - '%%environ_windir%%\cscui.dll'
      - '%%environ_windir%%\CSCDLL.dll'
      - '%%environ_windir%%\CSCAPI.dll'
      - '%%environ_windir%%\ntshrui.dll'
      - '%%environ_windir%%\srvcli.dll'
      - '%%environ_windir%%\IconCodecService.dll'
      - '%%environ_windir%%\CRYPTSP.dll'
      - '%%environ_windir%%\rsaenh.dll'
      - '%%environ_windir%%\RpcRtRemote.dll'
      - '%%environ_windir%%\SndVolSSO.dll'
      - '%%environ_windir%%\HID.dll'
      - '%%environ_windir%%\MMDevApi.dll'
      - '%%environ_windir%%\timedate.cpl'
      - '%%environ_windir%%\ATL.dll'
      - '%%environ_windir%%\actxprxy.dll'
      - '%%environ_windir%%\ntmarta.dll'
      - '%%environ_windir%%\shdocvw.dll'
      - '%%environ_windir%%\LINKINFO.dll'
      - '%%environ_windir%%\USERENV.dll'
      - '%%environ_windir%%\shacct.dll'
      - '%%environ_windir%%\gameux.dll'
      - '%%environ_windir%%\XmlLite.dll'
      - '%%environ_windir%%\wer.dll'
      - '%%environ_windir%%\SAMLIB.dll'
      - '%%environ_windir%%\msls31.dll'
      - '%%environ_windir%%\tiptsf.dll'
      - '%%environ_windir%%\authui.dll'
      - '%%environ_windir%%\CRYPTUI.dll'
      - '%%environ_windir%%\msiltcfg.dll'
      - '%%environ_windir%%\VERSION.dll'
      - '%%environ_windir%%\msi.dll'
      - '%%environ_windir%%\NetworkExplorer.dll'
      - '%%environ_windir%%\WINMM.dll'
      - '%%environ_windir%%\wdmaud.drv'
      - '%%environ_windir%%\ksuser.dll'
      - '%%environ_windir%%\AVRT.dll'
      - '%%environ_windir%%\AUDIOSES.dll'
      - '%%environ_windir%%\msacm32.drv'
      - '%%environ_windir%%\MSACM32.dll'
      - '%%environ_windir%%\midimap.dll'
      - '%%environ_windir%%\netutils.dll'
      - '%%environ_windir%%\stobject.dll'
      - '%%environ_windir%%\BatMeter.dll'
      - '%%environ_windir%%\WTSAPI32.dll'
      - '%%environ_windir%%\es.dll'
      - '%%environ_windir%%\prnfldr.dll'
      - '%%environ_windir%%\WINSPOOL.DRV'
      - '%%environ_windir%%\dxp.dll'
      - '%%environ_windir%%\Syncreg.dll'
      - '%%environ_windir%%\netshell.dll'
      - '%%environ_windir%%\IPHLPAPI.dll'
      - '%%environ_windir%%\WINNSI.dll'
      - '%%environ_windir%%\nlaapi.dll'
      - '%%environ_windir%%\AltTab.dll'
      - '%%environ_windir%%\pnidui.dll'
      - '%%environ_windir%%\QUtil.dll'
      - '%%environ_windir%%\wevtapi.dll'
      - '%%environ_windir%%\dhcpcsvc6.dll'
      - '%%environ_windir%%\dhcpcsvc.dll'
      - '%%environ_windir%%\credssp.dll'
      - '%%environ_windir%%\npmproxy.dll'
      - '%%environ_windir%%\cscobj.dll'
      - '%%environ_windir%%\Wlanapi.dll'
      - '%%environ_windir%%\wlanutil.dll'
      - '%%environ_windir%%\wwanapi.dll'
      - '%%environ_windir%%\wwapi.dll'
      - '%%environ_windir%%\QAgent.dll'
      - '%%environ_windir%%\srchadmin.dll'
      - '%%environ_windir%%\mssprxy.dll'
      - '%%environ_windir%%\bthprops.cpl'
      - '%%environ_windir%%\ieframe.dll'
      - '%%environ_windir%%\OLEACC.dll'
      - '%%environ_windir%%\SyncCenter.dll'
      - '%%environ_windir%%\Actioncenter.dll'
      - '%%environ_windir%%\imapi2.dll'
      - '%%environ_windir%%\SXS.dll'
      - '%%environ_windir%%\hgcpl.dll'
      - '%%environ_windir%%\provsvc.dll'
      - '%%environ_windir%%\wkscli.dll'
      - '%%environ_windir%%\fxsst.dll'
      - '%%environ_windir%%\FXSAPI.dll'
      - '%%environ_windir%%\FXSRESM.dll'
      - '%%environ_windir%%\ieproxy.dll'
      - '%%environ_windir%%\thumbcache.dll'
      - '%%environ_windir%%\rasadhlp.dll'
      - '%%environ_windir%%\MPR.dll'
      - '%%environ_windir%%\vmhgfs.dll'
      - '%%environ_windir%%\drprov.dll'
      - '%%environ_windir%%\ntlanman.dll'
      - '%%environ_windir%%\davclnt.dll'
      - '%%environ_windir%%\DAVHLPR.dll'
      - '%%environ_windir%%\StructuredQuery.dll'
      - '%%environ_windir%%\UIAnimation.dll'
      - '%%environ_windir%%\DEVRTL.dll'
      - '%%environ_windir%%\MLANG.dll'
      - '%%environ_windir%%\wscinterop.dll'
      - '%%environ_windir%%\WSCAPI.dll'
      - '%%environ_windir%%\wscui.cpl'
      - '%%environ_windir%%\werconcpl.dll'
      - '%%environ_windir%%\framedynos.dll'
      - '%%environ_windir%%\wercplsupport.dll'
      - '%%environ_windir%%\msxml6.dll'
      - '%%environ_windir%%\hcproviders.dll'
      - '%%environ_windir%%\zipfldr.dll'
      - '%%environ_windir%%\rarext.dll'
      - '%%environ_windir%%\7-zip.dll'
      - '%%environ_windir%%\twext.dll'
      - '%%environ_windir%%\WinCDEmuContextMenu.dll'
      - '%%environ_windir%%\syncui.dll'
      - '%%environ_windir%%\SYNCENG.dll'
      - '%%environ_windir%%\shlext010.dll'
      - '%%environ_windir%%\ATL90.dll'
      - '%%environ_windir%%\acppage.dll'
      - '%%environ_windir%%\sfc.dll'
      - '%%environ_windir%%\sfc_os.dll'
      - '%%environ_windir%%\dsrole.dll'
      - '%%environ_windir%%\ACLUI.dll'
      - '%%environ_windir%%\NTDSAPI.dll'
      - '%%environ_windir%%\PhotoBase.dll'
      - '%%environ_windir%%\sbdrop.dll'
      - '%%environ_windir%%\tquery.dll'
      - '%%environ_windir%%\EhStorAPI.dll'
      - '%%environ_windir%%\SearchFolder.dll'
      - '%%environ_windir%%\NaturalLanguage6.dll'
      - '%%environ_windir%%\NLSData0009.dll'
      - '%%environ_windir%%\NLSLexicons0009.dll'
      - '%%environ_windir%%\MsftEdit.dll'
      - '%%environ_windir%%\dnsapi.dll'
      - '%%environ_windir%%\RASAPI32.dll'
      - '%%environ_windir%%\rasman.dll'
      - '%%environ_windir%%\rtutils.dll'
      - '%%environ_windir%%\sensapi.dll'
    separator: '\'
supported_os: [Windows]

APT Browse - Built by Thomas Orozco.