title: Fax Service DLL Search Order Hijack
author: NVISO
date: 2020/05/04
description: The Fax service attempts to load ualapi.dll, which is non-existent. An
  attacker can then (side)load their own malicious DLL using this service.
detection:
  SELECTION_1:
    EventID: 7
  SELECTION_2:
    Image:
    - '*fxssvc.exe'
  SELECTION_3:
    ImageLoaded:
    - '*ualapi.dll'
  SELECTION_4:
    ImageLoaded:
    - C:\Windows\WinSxS\\*
  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
falsepositives:
- Unlikely
id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
level: high
logsource:
  category: image_load
  product: windows
modified: 2020/08/23
references:
- https://windows-internals.com/faxing-your-way-to-system/
status: experimental
tags:
- attack.persistence
- attack.defense_evasion
- attack.t1073
- attack.t1038
- attack.t1574.001
- attack.t1574.002
ruletype: SIGMA