Abusable DLL Potential Sideloading From Suspicious Location

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

Sigma rule (View on GitHub)

 1title: Abusable DLL Potential Sideloading From Suspicious Location
 2id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a
 3status: test
 4description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
 5references:
 6    - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
 7    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
 8author: X__Junior (Nextron Systems)
 9date: 2023-07-11
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection_dll:
18        ImageLoaded|endswith:
19            # Note: Add more generic DLLs that cannot be pin-pointed to a single application
20            - '\coreclr.dll'
21            - '\facesdk.dll'
22            - '\HPCustPartUI.dll'
23            - '\libcef.dll'
24            - '\ZIPDLL.dll'
25    selection_folders_1:
26        ImageLoaded|contains:
27            - ':\Perflogs\'
28            - ':\Users\Public\'
29            - '\Temporary Internet'
30            - '\Windows\Temp\'
31    selection_folders_2:
32        - ImageLoaded|contains|all:
33              - ':\Users\'
34              - '\Favorites\'
35        - ImageLoaded|contains|all:
36              - ':\Users\'
37              - '\Favourites\'
38        - ImageLoaded|contains|all:
39              - ':\Users\'
40              - '\Contacts\'
41        - ImageLoaded|contains|all:
42              - ':\Users\'
43              - '\Pictures\'
44    condition: selection_dll and 1 of selection_folders_*
45falsepositives:
46    - Unknown
47level: high

References

Related rules

to-top