The PotaoDll rule detects potential adversary behavior involving the execution of a suspicious DLL file, which may be used for code injection or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could evade traditional detection methods.
YARA Rule
rule PotaoDll
{
strings:
$mz = { 4d 5a }
$dllstr1 = "?AVCncBuffer@@"
$dllstr2 = "?AVCncRequest@@"
$dllstr3 = "Petrozavodskaya, 11, 9"
$dllstr4 = "_Scan@0"
$dllstr5 = "\x00/sync/document/"
$dllstr6 = "\\temp.temp"
$dllname1 = "node69MainModule.dll"
$dllname2 = "node69-main.dll"
$dllname3 = "node69MainModuleD.dll"
$dllname4 = "task-diskscanner.dll"
$dllname5 = "\x00Screen.dll"
$dllname6 = "Poker2.dll"
$dllname7 = "PasswordStealer.dll"
$dllname8 = "KeyLog2Runner.dll"
$dllname9 = "GetAllSystemInfo.dll"
$dllname10 = "FilePathStealer.dll"
condition:
($mz at 0) and (any of ($dllstr*) and any of ($dllname*))
}This YARA rule can be deployed in the following contexts:
This rule contains 17 string patterns in its detection logic.
Scenario: Legitimate PowerShell Script Execution
Description: A system administrator runs a PowerShell script that dynamically loads a DLL using Add-Type or LoadLibrary, which may match the YARA rule due to string similarity.
Filter/Exclusion: Check for ProcessName containing powershell.exe and CommandLine containing -Command or -File with known administrative scripts.
Scenario: Scheduled Job Loading a Custom DLL
Description: A scheduled task is configured to load a custom DLL for application compatibility or extension purposes, which may trigger the rule due to shared string patterns.
Filter/Exclusion: Filter by ProcessName matching schtasks.exe or Task Scheduler and check for ImageLoaded paths in known internal directories (e.g., C:\Windows\System32\ or C:\Program Files\).
Scenario: Microsoft Office Macro Execution
Description: A user runs a macro in Microsoft Word or Excel that dynamically loads a DLL via COM interop, which may match the YARA rule due to similar string patterns.
Filter/Exclusion: Check for ProcessName containing WINWORD.EXE or EXCEL.EXE and verify if the DLL is loaded from a trusted Microsoft directory (e.g., C:\Program Files\Microsoft Office\).
Scenario: Windows Update or Patching Tool
Description: A legitimate patching tool or Windows Update process may load a DLL that matches the YARA rule due to shared string or structure similarities.
Filter/Exclusion: Filter by ProcessName containing wuauclt.exe or svchost.exe and check for ImageLoaded paths in known Windows update directories (e.g., C:\Windows\SoftwareDistribution\).
**Scenario: Third-Party Application with