Potential DLL Sideloading Of DBGCORE.DLL
Detects DLL sideloading of "dbgcore.dll"
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Of DBGCORE.DLL
2id: 9ca2bf31-0570-44d8-a543-534c47c33ed7
3status: test
4description: Detects DLL sideloading of "dbgcore.dll"
5references:
6 - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
8date: 2022-10-25
9modified: 2023-05-05
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1574.001
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 ImageLoaded|endswith: '\dbgcore.dll'
21 filter_main_generic:
22 ImageLoaded|startswith:
23 - 'C:\Program Files (x86)\'
24 - 'C:\Program Files\'
25 - 'C:\Windows\SoftwareDistribution\'
26 - 'C:\Windows\System32\'
27 - 'C:\Windows\SystemTemp\'
28 - 'C:\Windows\SysWOW64\'
29 - 'C:\Windows\WinSxS\'
30 filter_optional_steam:
31 ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
32 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
33falsepositives:
34 - Legitimate applications loading their own versions of the DLL mentioned in this rule
35level: medium
References
-
HijackLibs provides an curated list of DLL Hijacking opportunities: mappings between DLLs and vulnerable executables, with additional metadata for more context. For defenders, this project can provide valuable information when trying to detect DLL Hijacking attempts; for red teamers, this project can help identify DLLs that can be used to achieve DLL Hijacking.
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Office DLL Sideload