Suspicious BluetoothDiagnosticUtil DLL Creation

Rule Info

Name
Suspicious BluetoothDiagnosticUtil DLL Creation
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the creation of BluetoothDiagnosticUtil.dll in outside legitimate folder. It could be an attempt to UAC bypass via msdt.exe, abusing DLL hijacking vulnerability in BluetoothDiagnosticUtil.dll file.
Reference
https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass
Date
2025-03-31 00:00:00
Modified
None
Id
71c8dcc6-a60b-406c-aa1f-a12c6c24747e
Tags
attack.privilege-escalation attack.defense-evasion attack.t1548.002 attack.t1547.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022