HackTool - SharpEvtMute DLL Load

    Friday, November 29, 2024 In: Threat Research Print

    Date: 11/29/2024

    Severity: High

    Summary

    Detects the loading of EvtMuteHook.dll, a critical component of SharpEvtHook, a tool used to manipulate Windows event logs.

    Indicators of Compromise (IOC) List

    Hashes : 

    'IMPHASH=330768A4F172E10ACB6287B87289D83B'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1: 

    (resourcename = "Sysmon"  AND eventtype = "7") AND hash like "330768A4F172E10ACB6287B87289D83B" 

    Detection Query 2:

    (technologygroup = "EDR" ) AND hash like "330768A4F172E10ACB6287B87289D83B" 

    Reference:   

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_hktl_sharpevtmute.yml


    Tags

    MalwareSigmaSharpEvtMuteSharpEvtHookHackTool

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.