Potential appverifUI.DLL Sideloading
Detects potential DLL sideloading of "appverifUI.dll"
Sigma rule (View on GitHub)
1title: Potential appverifUI.DLL Sideloading
2id: ee6cea48-c5b6-4304-a332-10fc6446f484
3status: test
4description: Detects potential DLL sideloading of "appverifUI.dll"
5references:
6 - https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
7author: X__Junior (Nextron Systems)
8date: 2023/06/20
9tags:
10 - attack.defense_evasion
11 - attack.privilege_escalation
12 - attack.t1574.001
13 - attack.t1574.002
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 ImageLoaded|endswith: '\appverifUI.dll'
20 filter_main_legit_path:
21 Image:
22 - 'C:\Windows\SysWOW64\appverif.exe'
23 - 'C:\Windows\System32\appverif.exe'
24 ImageLoaded|startswith:
25 - 'C:\Windows\System32\'
26 - 'C:\Windows\SysWOW64\'
27 - 'C:\Windows\WinSxS\'
28 condition: selection and not 1 of filter_main_*
29falsepositives:
30 - Unlikely
31level: high
References
-
A couple of weeks ago, FireEye published a blog called “Abusing DLL Misconfigurations.” The gist of the blog post is that when an application is executed, it will try and load DLLs for whatever fun...
Read More
Related rules
- Potential 7za.DLL Sideloading
- Potential Edputil.DLL Sideloading
- Potential RjvPlatform.DLL Sideloading From Default Location
- Potential RjvPlatform.DLL Sideloading From Non-Default Location
- Potential ShellDispatch.DLL Sideloading