Potential Chrome Frame Helper DLL Sideloading
Detects potential DLL sideloading of "chrome_frame_helper.dll"
Sigma rule (View on GitHub)
1title: Potential Chrome Frame Helper DLL Sideloading
2id: 72ca7c75-bf85-45cd-aca7-255d360e423c
3status: test
4description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
5references:
6 - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html
7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
8date: 2022-08-17
9modified: 2023-05-15
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1574.001
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 ImageLoaded|endswith: '\chrome_frame_helper.dll'
21 filter_main_path:
22 ImageLoaded|startswith:
23 - 'C:\Program Files\Google\Chrome\Application\'
24 - 'C:\Program Files (x86)\Google\Chrome\Application\'
25 filter_optional_user_path:
26 ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
27 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
28falsepositives:
29 - Unknown
30level: medium
References
-
Check out the entry for chrome_frame_helper.dll on HijackLibs - it is loaded by applications vulnerable to DLL Hijacking!
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Office DLL Sideload