Potential Antivirus Software DLL Sideloading

calendar Oct 9, 2025 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1574.001  ·
Share on: linkedin copy

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

Sigma rule (View on GitHub)

  1title: Potential Antivirus Software DLL Sideloading
  2id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
  3status: test
  4description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
  5references:
  6    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
  7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
  8date: 2022-08-17
  9modified: 2025-10-07
 10tags:
 11    - attack.defense-evasion
 12    - attack.persistence
 13    - attack.privilege-escalation
 14    - attack.t1574.001
 15logsource:
 16    category: image_load
 17    product: windows
 18detection:
 19    # Bitdefender
 20    selection_bitdefender:
 21        ImageLoaded|endswith: '\log.dll'
 22    filter_log_dll_bitdefender:
 23        ImageLoaded|startswith:
 24            - 'C:\Program Files\Bitdefender Antivirus Free\'
 25            - 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
 26    filter_log_dll_dell_sar:
 27        Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
 28        ImageLoaded:
 29            - 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
 30            - 'C:\Program Files\Dell\SARemediation\audit\log.dll'
 31    filter_log_dll_canon:
 32        ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
 33    filter_log_dll_avast:
 34        ImageLoaded:
 35            - 'C:\Program Files\AVAST Software\Avast\log.dll'
 36            - 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
 37    filter_log_dll_avg:
 38        ImageLoaded:
 39            - 'C:\Program Files\AVG\Antivirus\log.dll'
 40            - 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
 41    # F-Secure
 42    selection_fsecure:
 43        ImageLoaded|endswith: '\qrt.dll'
 44    filter_fsecure:
 45        ImageLoaded|startswith:
 46            - 'C:\Program Files\F-Secure\Anti-Virus\'
 47            - 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
 48    # McAfee
 49    selection_mcafee:
 50        ImageLoaded|endswith:
 51            - '\ashldres.dll'
 52            - '\lockdown.dll'
 53            - '\vsodscpl.dll'
 54    filter_mcafee:
 55        ImageLoaded|startswith:
 56            - 'C:\Program Files\McAfee\'
 57            - 'C:\Program Files (x86)\McAfee\'
 58    # CyberArk
 59    selection_cyberark:
 60        ImageLoaded|endswith: '\vftrace.dll'
 61    filter_cyberark:
 62        ImageLoaded|startswith:
 63            - 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
 64            - 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
 65    # Avast
 66    selection_avast:
 67        ImageLoaded|endswith: '\wsc.dll'
 68    filter_wsc_dll_avast:
 69        ImageLoaded|startswith:
 70            - 'C:\program Files\AVAST Software\Avast\'
 71            - 'C:\program Files (x86)\AVAST Software\Avast\'
 72    filter_wsc_dll_avg:
 73        ImageLoaded|startswith:
 74            - 'C:\Program Files\AVG\Antivirus\'
 75            - 'C:\Program Files (x86)\AVG\Antivirus\'
 76    # ESET
 77    selection_eset_deslock:
 78        ImageLoaded|endswith: '\DLPPREM32.dll'
 79    filter_eset_deslock:
 80        ImageLoaded|startswith:
 81            - 'C:\program Files\ESET'
 82            - 'C:\program Files (x86)\ESET'
 83    # Trend Micro Titanium
 84    selection_titanium:
 85        ImageLoaded|endswith: '\tmdbglog.dll'
 86    filter_titanium:
 87        ImageLoaded|startswith:
 88            - 'C:\program Files\Trend Micro\Titanium\'
 89            - 'C:\program Files (x86)\Trend Micro\Titanium\'
 90    condition: (selection_bitdefender and not 1 of filter_log_dll_*)
 91               or (selection_fsecure and not filter_fsecure)
 92               or (selection_mcafee and not filter_mcafee)
 93               or (selection_cyberark and not filter_cyberark)
 94               or (selection_avast and not 1 of filter_wsc_dll_*)
 95               or (selection_titanium and not filter_titanium)
 96               or (selection_eset_deslock and not filter_eset_deslock)
 97falsepositives:
 98    - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
 99    - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
100    - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
101level: medium

References

  • HijackLibs.net

    HijackLibs provides an curated list of DLL Hijacking opportunities: mappings between DLLs and vulnerable executables, with additional metadata for more context. For defenders, this project can provide valuable information when trying to detect DLL Hijacking attempts; for red teamers, this project can help identify DLLs that can be used to achieve DLL Hijacking.


    Read More

Related rules

to-top