Potential Edputil.DLL Sideloading

 1title: Potential Edputil.DLL Sideloading
 2id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2
 3status: test
 4description: Detects potential DLL sideloading of "edputil.dll"
 5references:
 6    - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/
 7author: X__Junior (Nextron Systems)
 8date: 2023-06-09
 9tags:
10    - attack.defense-evasion
11    - attack.privilege-escalation
12    - attack.t1574.001
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection:
18        ImageLoaded|endswith: '\edputil.dll'
19    filter_main_generic:
20        ImageLoaded|startswith:
21            - 'C:\Windows\System32\'
22            - 'C:\Windows\SysWOW64\'
23            - 'C\Windows\WinSxS\'
24    condition: selection and not 1 of filter_main_*
25falsepositives:
26    - Unlikely
27level: high

References

• Cybercriminals use WordPad vulnerability to spread Qbot malware with phishing emails

  

  Cybercriminals are using a vulnerability in Windows WordPad to spread the Qbot malware. The process starts with an email containing a malicious .DLL file and the WordPad executable. WordPad activates all the DLL files, including the malicious one, allowing Qbot to be downloaded undetected. This technique is known as DLL sideloading or DLL hijacking and has previously been used with applications such as Calculator. The strategy only works on Windows 10 and newer versions of the Microsoft operating system.

  
  Read More

Related rules

• Creation Of Non-Existent System DLL
• DLL Search Order Hijackig Via Additional Space in Path
• DLL Sideloading Of ShellChromeAPI.DLL
• Lazarus APT DLL Sideloading Activity
• Malicious DLL File Dropped in the Teams or OneDrive Folder