Potential Antivirus Software DLL Sideloading

calendar Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.001  ·
Share on: linkedin copy

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

Sigma rule (View on GitHub)

  1title: Potential Antivirus Software DLL Sideloading
  2id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
  3status: test
  4description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
  5references:
  6    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
  7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
  8date: 2022-08-17
  9modified: 2025-10-07
 10tags:
 11    - attack.persistence
 12    - attack.privilege-escalation
 13    - attack.execution
 14    - attack.stealth
 15    - attack.t1574.001
 16logsource:
 17    category: image_load
 18    product: windows
 19detection:
 20    # Bitdefender
 21    selection_bitdefender:
 22        ImageLoaded|endswith: '\log.dll'
 23    filter_log_dll_bitdefender:
 24        ImageLoaded|startswith:
 25            - 'C:\Program Files\Bitdefender Antivirus Free\'
 26            - 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
 27    filter_log_dll_dell_sar:
 28        Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
 29        ImageLoaded:
 30            - 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
 31            - 'C:\Program Files\Dell\SARemediation\audit\log.dll'
 32    filter_log_dll_canon:
 33        ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
 34    filter_log_dll_avast:
 35        ImageLoaded:
 36            - 'C:\Program Files\AVAST Software\Avast\log.dll'
 37            - 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
 38    filter_log_dll_avg:
 39        ImageLoaded:
 40            - 'C:\Program Files\AVG\Antivirus\log.dll'
 41            - 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
 42    # F-Secure
 43    selection_fsecure:
 44        ImageLoaded|endswith: '\qrt.dll'
 45    filter_fsecure:
 46        ImageLoaded|startswith:
 47            - 'C:\Program Files\F-Secure\Anti-Virus\'
 48            - 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
 49    # McAfee
 50    selection_mcafee:
 51        ImageLoaded|endswith:
 52            - '\ashldres.dll'
 53            - '\lockdown.dll'
 54            - '\vsodscpl.dll'
 55    filter_mcafee:
 56        ImageLoaded|startswith:
 57            - 'C:\Program Files\McAfee\'
 58            - 'C:\Program Files (x86)\McAfee\'
 59    # CyberArk
 60    selection_cyberark:
 61        ImageLoaded|endswith: '\vftrace.dll'
 62    filter_cyberark:
 63        ImageLoaded|startswith:
 64            - 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
 65            - 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
 66    # Avast
 67    selection_avast:
 68        ImageLoaded|endswith: '\wsc.dll'
 69    filter_wsc_dll_avast:
 70        ImageLoaded|startswith:
 71            - 'C:\program Files\AVAST Software\Avast\'
 72            - 'C:\program Files (x86)\AVAST Software\Avast\'
 73    filter_wsc_dll_avg:
 74        ImageLoaded|startswith:
 75            - 'C:\Program Files\AVG\Antivirus\'
 76            - 'C:\Program Files (x86)\AVG\Antivirus\'
 77    # ESET
 78    selection_eset_deslock:
 79        ImageLoaded|endswith: '\DLPPREM32.dll'
 80    filter_eset_deslock:
 81        ImageLoaded|startswith:
 82            - 'C:\program Files\ESET'
 83            - 'C:\program Files (x86)\ESET'
 84    # Trend Micro Titanium
 85    selection_titanium:
 86        ImageLoaded|endswith: '\tmdbglog.dll'
 87    filter_titanium:
 88        ImageLoaded|startswith:
 89            - 'C:\program Files\Trend Micro\Titanium\'
 90            - 'C:\program Files (x86)\Trend Micro\Titanium\'
 91    condition: (selection_bitdefender and not 1 of filter_log_dll_*)
 92               or (selection_fsecure and not filter_fsecure)
 93               or (selection_mcafee and not filter_mcafee)
 94               or (selection_cyberark and not filter_cyberark)
 95               or (selection_avast and not 1 of filter_wsc_dll_*)
 96               or (selection_titanium and not filter_titanium)
 97               or (selection_eset_deslock and not filter_eset_deslock)
 98falsepositives:
 99    - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
100    - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
101    - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
102level: medium

References

Related rules

to-top