Potential DLL Sideloading Of DBGCORE.DLL
Detects DLL sideloading of "dbgcore.dll"
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Of DBGCORE.DLL
2id: 9ca2bf31-0570-44d8-a543-534c47c33ed7
3status: test
4description: Detects DLL sideloading of "dbgcore.dll"
5references:
6 - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
8date: 2022-10-25
9modified: 2023-05-05
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1574.001
15 - attack.t1574.002
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection:
21 ImageLoaded|endswith: '\dbgcore.dll'
22 filter_main_generic:
23 ImageLoaded|startswith:
24 - 'C:\Program Files (x86)\'
25 - 'C:\Program Files\'
26 - 'C:\Windows\SoftwareDistribution\'
27 - 'C:\Windows\System32\'
28 - 'C:\Windows\SystemTemp\'
29 - 'C:\Windows\SysWOW64\'
30 - 'C:\Windows\WinSxS\'
31 filter_optional_steam:
32 ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
33 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
34falsepositives:
35 - Legitimate applications loading their own versions of the DLL mentioned in this rule
36level: medium
References
-
HijackLibs provides an curated list of DLL Hijacking candidates: mappings between DLLs and vulnerable executables, with additional metadata for more context. For defenders, this project can provide valuable information when trying to detect DLL Hijacking attempts; for red teamers, this project can help identify DLLs that can be used to achieve DLL Hijacking.
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Sideloading Of ShellChromeAPI.DLL
- Microsoft Office DLL Sideload
- Potential 7za.DLL Sideloading
- Potential Antivirus Software DLL Sideloading