title: Execution DLL of Choice Using WAB.EXE
author: oscd.community, Natalia Shornikova
date: 2020/10/13
description: This rule detects that the path to the DLL written in the registry is
    different from the default one. Launched WAB.exe tries to load the DLL from Registry.
detection:
    SELECTION_1:
        EventID: 12
    SELECTION_2:
        EventID: 13
    SELECTION_3:
        EventID: 14
    SELECTION_4:
        TargetObject: '*\Software\Microsoft\WAB\DLLPath'
    SELECTION_5:
        Details: '%CommonProgramFiles%\System\wab32.dll'
    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and  not
        (SELECTION_5))
falsepositives:
- Unknown
id: fc014922-5def-4da9-a0fc-28c973f41bfb
level: high
logsource:
    category: registry_event
    product: windows
modified: 2021/05/21
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml
- https://twitter.com/Hexacorn/status/991447379864932352
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
status: experimental
tags:
- attack.defense_evasion
- attack.t1218
yml_filename: sysmon_wab_dllpath_reg_change.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event