Endpoint Protection

 View Only
Expand all | Collapse all

Detect and Block Process that loads two particular DLL's

  • 1.  Detect and Block Process that loads two particular DLL's

    Posted Aug 14, 2018 04:55 PM

    I want to create Application Device Control Policy to detect Mimikatz in memory, has our red teamers keep by passing SEP AV SONAR and Signatures. 

    Refernce for mimikatz https://securityriskadvisors.com/blog/detecting-in-memory-mimikatz/ 

    Example scenario, mimikatz is spawned in the context of rundll32.exe, then always loads two specific DLL's (vaultcli.dll and wlanapi.dll).  Is there a way to setup ADC to log and block process if proccess image  loads both (vaultcli.dll and wlanapi.dll). 

     

    I have alredey tested where, monitor all processes, then if process loads codition either (vaultcli.dll and wlanapi.dll) then log event. In reality what is being logged is if process x spawns vaultcli.dll OR process X spawns wlanapi.dll. This is not very helpful since I have thousands of events generated.  

     

    Has anyone done this in SEP 14.x I have read numurous documentation and found no clear answer if this possible, I need help??



  • 2.  RE: Detect and Block Process that loads two particular DLL's

    Posted Aug 14, 2018 09:12 PM

    The closest I see is this:

    https://www.symantec.com/docs/HOWTO100334