Think you have a false positive on this rule?

Sid 1-49781

Message

FILE-OTHER Go binary dll-load exploit attempt

Summary

This event is generated when a download of kernel32.dll is detected.

Impact

Attempted User Privilege Gain

Detailed information

Go binaries from before version 1.12.2 will run any arbitrary kernel32.dll, winmm.dll, and ws2_32.dll in the same directory path, possibly leading to remote code execution.

Affected systems

Ease of attack

False positives

False negatives

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • www.openwall.com/lists/oss-security/2019/04/09/1