Potential Antivirus Software DLL Sideloading

 1title: Potential Antivirus Software DLL Sideloading
 2id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
 3status: test
 4description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
 5references:
 6    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
 7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
 8date: 2022-08-17
 9modified: 2023-03-13
10tags:
11    - attack.defense-evasion
12    - attack.persistence
13    - attack.privilege-escalation
14    - attack.t1574.001
15logsource:
16    category: image_load
17    product: windows
18detection:
19    # Bitdefender
20    selection_bitdefender:
21        ImageLoaded|endswith: '\log.dll'
22    filter_log_dll_bitdefender:
23        ImageLoaded|startswith:
24            - 'C:\Program Files\Bitdefender Antivirus Free\'
25            - 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
26    filter_log_dll_dell_sar:
27        Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
28        ImageLoaded:
29            - 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
30            - 'C:\Program Files\Dell\SARemediation\audit\log.dll'
31    filter_log_dll_canon:
32        ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
33    # F-Secure
34    selection_fsecure:
35        ImageLoaded|endswith: '\qrt.dll'
36    filter_fsecure:
37        ImageLoaded|startswith:
38            - 'C:\Program Files\F-Secure\Anti-Virus\'
39            - 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
40    # McAfee
41    selection_mcafee:
42        ImageLoaded|endswith:
43            - '\ashldres.dll'
44            - '\lockdown.dll'
45            - '\vsodscpl.dll'
46    filter_mcafee:
47        ImageLoaded|startswith:
48            - 'C:\Program Files\McAfee\'
49            - 'C:\Program Files (x86)\McAfee\'
50    # CyberArk
51    selection_cyberark:
52        ImageLoaded|endswith: '\vftrace.dll'
53    filter_cyberark:
54        ImageLoaded|startswith:
55            - 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
56            - 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
57    # Avast
58    selection_avast:
59        ImageLoaded|endswith: '\wsc.dll'
60    filter_avast:
61        ImageLoaded|startswith:
62            - 'C:\program Files\AVAST Software\Avast\'
63            - 'C:\program Files (x86)\AVAST Software\Avast\'
64    # ESET
65    selection_eset_deslock:
66        ImageLoaded|endswith: '\DLPPREM32.dll'
67    filter_eset_deslock:
68        ImageLoaded|startswith:
69            - 'C:\program Files\ESET'
70            - 'C:\program Files (x86)\ESET'
71    # Trend Micro Titanium
72    selection_titanium:
73        ImageLoaded|endswith: '\tmdbglog.dll'
74    filter_titanium:
75        ImageLoaded|startswith:
76            - 'C:\program Files\Trend Micro\Titanium\'
77            - 'C:\program Files (x86)\Trend Micro\Titanium\'
78    condition: (selection_bitdefender and not 1 of filter_log_dll_*)
79               or (selection_fsecure and not filter_fsecure)
80               or (selection_mcafee and not filter_mcafee)
81               or (selection_cyberark and not filter_cyberark)
82               or (selection_avast and not filter_avast)
83               or (selection_titanium and not filter_titanium)
84               or (selection_eset_deslock and not filter_eset_deslock)
85falsepositives:
86    - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
87    - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
88    - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
89level: medium