Potential Antivirus Software DLL Sideloading
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Sigma rule (View on GitHub)
1title: Potential Antivirus Software DLL Sideloading
2id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
3status: test
4description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
5references:
6 - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
8date: 2022-08-17
9modified: 2025-10-07
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1574.001
15logsource:
16 category: image_load
17 product: windows
18detection:
19 # Bitdefender
20 selection_bitdefender:
21 ImageLoaded|endswith: '\log.dll'
22 filter_log_dll_bitdefender:
23 ImageLoaded|startswith:
24 - 'C:\Program Files\Bitdefender Antivirus Free\'
25 - 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
26 filter_log_dll_dell_sar:
27 Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
28 ImageLoaded:
29 - 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
30 - 'C:\Program Files\Dell\SARemediation\audit\log.dll'
31 filter_log_dll_canon:
32 ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
33 filter_log_dll_avast:
34 ImageLoaded:
35 - 'C:\Program Files\AVAST Software\Avast\log.dll'
36 - 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
37 filter_log_dll_avg:
38 ImageLoaded:
39 - 'C:\Program Files\AVG\Antivirus\log.dll'
40 - 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
41 # F-Secure
42 selection_fsecure:
43 ImageLoaded|endswith: '\qrt.dll'
44 filter_fsecure:
45 ImageLoaded|startswith:
46 - 'C:\Program Files\F-Secure\Anti-Virus\'
47 - 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
48 # McAfee
49 selection_mcafee:
50 ImageLoaded|endswith:
51 - '\ashldres.dll'
52 - '\lockdown.dll'
53 - '\vsodscpl.dll'
54 filter_mcafee:
55 ImageLoaded|startswith:
56 - 'C:\Program Files\McAfee\'
57 - 'C:\Program Files (x86)\McAfee\'
58 # CyberArk
59 selection_cyberark:
60 ImageLoaded|endswith: '\vftrace.dll'
61 filter_cyberark:
62 ImageLoaded|startswith:
63 - 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
64 - 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
65 # Avast
66 selection_avast:
67 ImageLoaded|endswith: '\wsc.dll'
68 filter_wsc_dll_avast:
69 ImageLoaded|startswith:
70 - 'C:\program Files\AVAST Software\Avast\'
71 - 'C:\program Files (x86)\AVAST Software\Avast\'
72 filter_wsc_dll_avg:
73 ImageLoaded|startswith:
74 - 'C:\Program Files\AVG\Antivirus\'
75 - 'C:\Program Files (x86)\AVG\Antivirus\'
76 # ESET
77 selection_eset_deslock:
78 ImageLoaded|endswith: '\DLPPREM32.dll'
79 filter_eset_deslock:
80 ImageLoaded|startswith:
81 - 'C:\program Files\ESET'
82 - 'C:\program Files (x86)\ESET'
83 # Trend Micro Titanium
84 selection_titanium:
85 ImageLoaded|endswith: '\tmdbglog.dll'
86 filter_titanium:
87 ImageLoaded|startswith:
88 - 'C:\program Files\Trend Micro\Titanium\'
89 - 'C:\program Files (x86)\Trend Micro\Titanium\'
90 condition: (selection_bitdefender and not 1 of filter_log_dll_*)
91 or (selection_fsecure and not filter_fsecure)
92 or (selection_mcafee and not filter_mcafee)
93 or (selection_cyberark and not filter_cyberark)
94 or (selection_avast and not 1 of filter_wsc_dll_*)
95 or (selection_titanium and not filter_titanium)
96 or (selection_eset_deslock and not filter_eset_deslock)
97falsepositives:
98 - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
99 - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
100 - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
101level: medium
References
Related rules
- Potential DLL Sideloading Of DBGCORE.DLL
- Potential DLL Sideloading Of DBGHELP.DLL
- Potential JLI.dll Side-Loading
- Potential System DLL Sideloading From Non System Locations
- Creation Of Non-Existent System DLL