Potential appverifUI.DLL Sideloading
Detects potential DLL sideloading of "appverifUI.dll"
Sigma rule (View on GitHub)
1title: Potential appverifUI.DLL Sideloading
2id: ee6cea48-c5b6-4304-a332-10fc6446f484
3status: test
4description: Detects potential DLL sideloading of "appverifUI.dll"
5references:
6 - https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
7author: X__Junior (Nextron Systems)
8date: 2023-06-20
9tags:
10 - attack.defense-evasion
11 - attack.privilege-escalation
12 - attack.t1574.001
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 ImageLoaded|endswith: '\appverifUI.dll'
19 filter_main_legit_path:
20 Image:
21 - 'C:\Windows\SysWOW64\appverif.exe'
22 - 'C:\Windows\System32\appverif.exe'
23 ImageLoaded|startswith:
24 - 'C:\Windows\System32\'
25 - 'C:\Windows\SysWOW64\'
26 - 'C:\Windows\WinSxS\'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Unlikely
30level: high
References
-
A couple of weeks ago, FireEye published a blog called “Abusing DLL Misconfigurations.” The gist of the blog post is that when an application is executed, it will try and load DLLs for whatever fun...
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Lazarus APT DLL Sideloading Activity
- Malicious DLL File Dropped in the Teams or OneDrive Folder