Registry Modification for OCI DLL Redirection

Rule Info

Name
Registry Modification for OCI DLL Redirection
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
Reference
https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
Date
2026-01-24 00:00:00
Modified
None
Id
c0e0bdec-3e3d-47aa-9974-05539c999c89
Tags
attack.persistence attack.privilege-escalation attack.defense-evasion attack.t1112 attack.t1574.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c0e0bdec-3e3d-47aa-9974-05539c999c89

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5749 from @swachchhanda000 - Update Phantom DLL hijacking Rules
2026-01-24
222a2e299
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022