Potential Antivirus Software DLL Sideloading

 1title: Potential Antivirus Software DLL Sideloading
 2id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
 3status: test
 4description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
 5references:
 6    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
 7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
 8date: 2022-08-17
 9modified: 2023-03-13
10tags:
11    - attack.defense-evasion
12    - attack.persistence
13    - attack.privilege-escalation
14    - attack.t1574.001
15    - attack.t1574.002
16logsource:
17    category: image_load
18    product: windows
19detection:
20    # Bitdefender
21    selection_bitdefender:
22        ImageLoaded|endswith: '\log.dll'
23    filter_log_dll_bitdefender:
24        ImageLoaded|startswith:
25            - 'C:\Program Files\Bitdefender Antivirus Free\'
26            - 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
27    filter_log_dll_dell_sar:
28        Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
29        ImageLoaded:
30            - 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
31            - 'C:\Program Files\Dell\SARemediation\audit\log.dll'
32    filter_log_dll_canon:
33        ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
34    # F-Secure
35    selection_fsecure:
36        ImageLoaded|endswith: '\qrt.dll'
37    filter_fsecure:
38        ImageLoaded|startswith:
39            - 'C:\Program Files\F-Secure\Anti-Virus\'
40            - 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
41    # McAfee
42    selection_mcafee:
43        ImageLoaded|endswith:
44            - '\ashldres.dll'
45            - '\lockdown.dll'
46            - '\vsodscpl.dll'
47    filter_mcafee:
48        ImageLoaded|startswith:
49            - 'C:\Program Files\McAfee\'
50            - 'C:\Program Files (x86)\McAfee\'
51    # CyberArk
52    selection_cyberark:
53        ImageLoaded|endswith: '\vftrace.dll'
54    filter_cyberark:
55        ImageLoaded|startswith:
56            - 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
57            - 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
58    # Avast
59    selection_avast:
60        ImageLoaded|endswith: '\wsc.dll'
61    filter_avast:
62        ImageLoaded|startswith:
63            - 'C:\program Files\AVAST Software\Avast\'
64            - 'C:\program Files (x86)\AVAST Software\Avast\'
65    # ESET
66    selection_eset_deslock:
67        ImageLoaded|endswith: '\DLPPREM32.dll'
68    filter_eset_deslock:
69        ImageLoaded|startswith:
70            - 'C:\program Files\ESET'
71            - 'C:\program Files (x86)\ESET'
72    # Trend Micro Titanium
73    selection_titanium:
74        ImageLoaded|endswith: '\tmdbglog.dll'
75    filter_titanium:
76        ImageLoaded|startswith:
77            - 'C:\program Files\Trend Micro\Titanium\'
78            - 'C:\program Files (x86)\Trend Micro\Titanium\'
79    condition: (selection_bitdefender and not 1 of filter_log_dll_*)
80               or (selection_fsecure and not filter_fsecure)
81               or (selection_mcafee and not filter_mcafee)
82               or (selection_cyberark and not filter_cyberark)
83               or (selection_avast and not filter_avast)
84               or (selection_titanium and not filter_titanium)
85               or (selection_eset_deslock and not filter_eset_deslock)
86falsepositives:
87    - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
88    - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
89    - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
90level: medium