Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".

Read More

Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.

Read More

Detects the image load of VSS DLL by uncommon executables

Read More

Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.

Read More

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

Read More

Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.

Read More

Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs

Read More

Detects potential DLL sideloading of Python DLL files.

Read More

Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More

Detect DLL Load from Spooler Service backup folder

Read More

Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.

Read More

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

Read More

Detects Kerberos DLL being loaded by an Office Product

Read More

Detects DSParse DLL being loaded by an Office Product

Read More

Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

Read More

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Read More

Detects CLR DLL being loaded by an Office Product

Read More

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

Read More

Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library

Read More

Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"

Read More

Detects cmstp loading "dll" or "ocx" files from suspicious locations

Read More

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More

Detects any assembly DLL being loaded by an Office Product

Read More

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Read More

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Read More

Detects any GAC DLL being loaded by an Office Product

Read More

Detects SILENTTRINITY stager dll loading activity

Read More

Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

Read More

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

Read More

Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process

Read More

Detects processes loading modules related to PCRE.NET package

Read More

Detects potential DLL sideloading of "7za.dll"

Read More

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

Read More

Detects potential DLL sideloading of "appverifUI.dll"

Read More

Detects potential DLL sideloading of "AVKkid.dll"

Read More

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Read More

Detects potential DLL sideloading of "CCleanerDU.dll"

Read More

Detects potential DLL sideloading of "CCleanerReactivator.dll"

Read More

Detects potential DLL sideloading of "chrome_frame_helper.dll"

Read More

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Read More

Detects DLL sideloading of "dbgcore.dll"

Read More

Detects potential DLL sideloading of "dbghelp.dll"

Read More

Detects potential DLL sideloading of "DbgModel.dll"

Read More

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

Read More

Detects potential DLL sideloading of "MpSvc.dll".

Read More

Detects potential DLL sideloading of "mscorsvc.dll".

Read More

Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.

Read More

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Read More

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Read More

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

Read More

Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL

Read More

Detects potential DLL sideloading of "EACore.dll"

Read More

Detects potential DLL sideloading of "edputil.dll"

Read More

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

Read More

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

Read More

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

Read More

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Read More

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

Read More

Detects potential DLL sideloading of rcdll.dll

Read More

Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.

Read More

Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.

Read More

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

Read More

Detects potential DLL sideloading of "ShellDispatch.dll"

Read More

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

Read More

Detects potential DLL sideloading of "SolidPDFCreator.dll"

Read More

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

Read More

Detects potential DLL sideloading of "vivaldi_elf.dll"

Read More

Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.

Read More

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

Read More

Detects potential DLL sideloading of "wwlib.dll"

Read More

Detects PowerShell core DLL being loaded by an Office Product

Read More

Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.

Read More

Detects a remote DLL load event via "rundll32.exe".

Read More

Detects rundll32 loading a renamed comsvcs.dll to dump process memory

Read More

Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.

Read More

Detects loading and execution of an unsigned thor scanner binary.

Read More

Detects the image load of vss_ps.dll by uncommon executables

Read More

Detects the image load of VSS DLL by uncommon executables

Read More

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

Read More

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)

Read More

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Read More

Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%

Read More

Attempts to load dismcore.dll after dropping it

Read More

Loading unsigned image (DLL, EXE) into LSASS process

Read More

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Read More

Detects unsigned module load by ClickOnce application.

Read More

Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.

Read More

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

Read More

Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.

Read More

Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.

Read More

Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

Read More

Detects WMI command line event consumers

Read More

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Read More