Potential System DLL Sideloading From Non System Locations
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
Sigma rule (View on GitHub)
1title: Potential System DLL Sideloading From Non System Locations
2id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
3status: experimental
4description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
5references:
6 - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
7 - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
8 - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
9 - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
10 - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-08-14
13modified: 2024-07-11
14tags:
15 - attack.defense-evasion
16 - attack.persistence
17 - attack.privilege-escalation
18 - attack.t1574.001
19 - attack.t1574.002
20logsource:
21 category: image_load
22 product: windows
23detection:
24 selection:
25 ImageLoaded|endswith:
26 - '\aclui.dll'
27 - '\activeds.dll'
28 - '\adsldpc.dll'
29 - '\aepic.dll'
30 - '\apphelp.dll'
31 - '\applicationframe.dll'
32 - '\appvpolicy.dll'
33 - '\appxalluserstore.dll'
34 - '\appxdeploymentclient.dll'
35 - '\archiveint.dll'
36 - '\atl.dll'
37 - '\audioses.dll'
38 - '\auditpolcore.dll'
39 - '\authfwcfg.dll'
40 - '\authz.dll'
41 - '\avrt.dll'
42 - '\batmeter.dll'
43 - '\bcd.dll'
44 - '\bcp47langs.dll'
45 - '\bcp47mrm.dll'
46 - '\bcrypt.dll'
47 - '\bderepair.dll'
48 - '\bootmenuux.dll'
49 - '\bootux.dll'
50 - '\cabinet.dll'
51 - '\cabview.dll'
52 - '\certcli.dll'
53 - '\certenroll.dll'
54 - '\cfgmgr32.dll'
55 - '\cldapi.dll'
56 - '\clipc.dll'
57 - '\clusapi.dll'
58 - '\cmpbk32.dll'
59 - '\cmutil.dll'
60 - '\coloradapterclient.dll'
61 - '\colorui.dll'
62 - '\comdlg32.dll'
63 - '\configmanager2.dll'
64 - '\connect.dll'
65 - '\coredplus.dll'
66 - '\coremessaging.dll'
67 - '\coreuicomponents.dll'
68 - '\credui.dll'
69 - '\cryptbase.dll'
70 - '\cryptdll.dll'
71 - '\cryptsp.dll'
72 - '\cryptui.dll'
73 - '\cryptxml.dll'
74 - '\cscapi.dll'
75 - '\cscobj.dll'
76 - '\cscui.dll'
77 - '\d2d1.dll'
78 - '\d3d10_1.dll'
79 - '\d3d10_1core.dll'
80 - '\d3d10.dll'
81 - '\d3d10core.dll'
82 - '\d3d10warp.dll'
83 - '\d3d11.dll'
84 - '\d3d12.dll'
85 - '\d3d9.dll'
86 - '\d3dx9_43.dll'
87 - '\dataexchange.dll'
88 - '\davclnt.dll'
89 - '\dcntel.dll'
90 - '\dcomp.dll'
91 - '\defragproxy.dll'
92 - '\desktopshellext.dll'
93 - '\deviceassociation.dll'
94 - '\devicecredential.dll'
95 - '\devicepairing.dll'
96 - '\devobj.dll'
97 - '\devrtl.dll'
98 - '\dhcpcmonitor.dll'
99 - '\dhcpcsvc.dll'
100 - '\dhcpcsvc6.dll'
101 - '\directmanipulation.dll'
102 - '\dismapi.dll'
103 - '\dismcore.dll'
104 - '\dmcfgutils.dll'
105 - '\dmcmnutils.dll'
106 - '\dmcommandlineutils.dll'
107 - '\dmenrollengine.dll'
108 - '\dmenterprisediagnostics.dll'
109 - '\dmiso8601utils.dll'
110 - '\dmoleaututils.dll'
111 - '\dmprocessxmlfiltered.dll'
112 - '\dmpushproxy.dll'
113 - '\dmxmlhelputils.dll'
114 - '\dnsapi.dll'
115 - '\dot3api.dll'
116 - '\dot3cfg.dll'
117 - '\dpx.dll'
118 - '\drprov.dll'
119 - '\drvstore.dll'
120 - '\dsclient.dll'
121 - '\dsparse.dll'
122 - '\dsprop.dll'
123 - '\dsreg.dll'
124 - '\dsrole.dll'
125 - '\dui70.dll'
126 - '\duser.dll'
127 - '\dusmapi.dll'
128 - '\dwmapi.dll'
129 - '\dwmcore.dll'
130 - '\dwrite.dll'
131 - '\dxcore.dll'
132 - '\dxgi.dll'
133 - '\dxva2.dll'
134 - '\dynamoapi.dll'
135 - '\eappcfg.dll'
136 - '\eappprxy.dll'
137 - '\edgeiso.dll'
138 - '\edputil.dll'
139 - '\efsadu.dll'
140 - '\efsutil.dll'
141 - '\esent.dll'
142 - '\execmodelproxy.dll'
143 - '\explorerframe.dll'
144 - '\fastprox.dll'
145 - '\faultrep.dll'
146 - '\fddevquery.dll'
147 - '\feclient.dll'
148 - '\fhcfg.dll'
149 - '\fhsvcctl.dll'
150 - '\firewallapi.dll'
151 - '\flightsettings.dll'
152 - '\fltlib.dll'
153 - '\framedynos.dll'
154 - '\fveapi.dll'
155 - '\fveskybackup.dll'
156 - '\fvewiz.dll'
157 - '\fwbase.dll'
158 - '\fwcfg.dll'
159 - '\fwpolicyiomgr.dll'
160 - '\fwpuclnt.dll'
161 - '\fxsapi.dll'
162 - '\fxsst.dll'
163 - '\fxstiff.dll'
164 - '\getuname.dll'
165 - '\gpapi.dll'
166 - '\hid.dll'
167 - '\hnetmon.dll'
168 - '\httpapi.dll'
169 - '\icmp.dll'
170 - '\idstore.dll'
171 - '\ieadvpack.dll'
172 - '\iedkcs32.dll'
173 - '\iernonce.dll'
174 - '\iertutil.dll'
175 - '\ifmon.dll'
176 - '\ifsutil.dll'
177 - '\inproclogger.dll'
178 - '\iphlpapi.dll'
179 - '\iri.dll'
180 - '\iscsidsc.dll'
181 - '\iscsium.dll'
182 - '\isv.exe_rsaenh.dll'
183 - '\iumbase.dll'
184 - '\iumsdk.dll'
185 - '\joinutil.dll'
186 - '\kdstub.dll'
187 - '\ksuser.dll'
188 - '\ktmw32.dll'
189 - '\licensemanagerapi.dll'
190 - '\licensingdiagspp.dll'
191 - '\linkinfo.dll'
192 - '\loadperf.dll'
193 - '\lockhostingframework.dll'
194 - '\logoncli.dll'
195 - '\logoncontroller.dll'
196 - '\lpksetupproxyserv.dll'
197 - '\lrwizdll.dll'
198 - '\magnification.dll'
199 - '\maintenanceui.dll'
200 - '\mapistub.dll'
201 - '\mbaexmlparser.dll'
202 - '\mdmdiagnostics.dll'
203 - '\mfc42u.dll'
204 - '\mfcore.dll'
205 - '\mfplat.dll'
206 - '\mi.dll'
207 - '\midimap.dll'
208 - '\mintdh.dll'
209 - '\miutils.dll'
210 - '\mlang.dll'
211 - '\mmdevapi.dll'
212 - '\mobilenetworking.dll'
213 - '\mpr.dll'
214 - '\mprapi.dll'
215 - '\mrmcorer.dll'
216 - '\msacm32.dll'
217 - '\mscms.dll'
218 - '\mscoree.dll'
219 - '\msctf.dll'
220 - '\msctfmonitor.dll'
221 - '\msdrm.dll'
222 - '\msdtctm.dll'
223 - '\msftedit.dll'
224 - '\msi.dll'
225 - '\msiso.dll'
226 - '\msutb.dll'
227 - '\msvcp110_win.dll'
228 - '\mswb7.dll'
229 - '\mswsock.dll'
230 - '\msxml3.dll'
231 - '\mtxclu.dll'
232 - '\napinsp.dll'
233 - '\ncrypt.dll'
234 - '\ndfapi.dll'
235 - '\netapi32.dll'
236 - '\netid.dll'
237 - '\netiohlp.dll'
238 - '\netjoin.dll'
239 - '\netplwiz.dll'
240 - '\netprofm.dll'
241 - '\netprovfw.dll'
242 - '\netsetupapi.dll'
243 - '\netshell.dll'
244 - '\nettrace.dll'
245 - '\netutils.dll'
246 - '\networkexplorer.dll'
247 - '\newdev.dll'
248 - '\ninput.dll'
249 - '\nlaapi.dll'
250 - '\nlansp_c.dll'
251 - '\npmproxy.dll'
252 - '\nshhttp.dll'
253 - '\nshipsec.dll'
254 - '\nshwfp.dll'
255 - '\ntdsapi.dll'
256 - '\ntlanman.dll'
257 - '\ntlmshared.dll'
258 - '\ntmarta.dll'
259 - '\ntshrui.dll'
260 - '\oleacc.dll'
261 - '\omadmapi.dll'
262 - '\onex.dll'
263 - '\opcservices.dll'
264 - '\osbaseln.dll'
265 - '\osksupport.dll'
266 - '\osuninst.dll'
267 - '\p2p.dll'
268 - '\p2pnetsh.dll'
269 - '\p9np.dll'
270 - '\pcaui.dll'
271 - '\pdh.dll'
272 - '\peerdistsh.dll'
273 - '\pkeyhelper.dll'
274 - '\pla.dll'
275 - '\playsndsrv.dll'
276 - '\pnrpnsp.dll'
277 - '\policymanager.dll'
278 - '\polstore.dll'
279 - '\powrprof.dll'
280 - '\printui.dll'
281 - '\prntvpt.dll'
282 - '\profapi.dll'
283 - '\propsys.dll'
284 - '\proximitycommon.dll'
285 - '\proximityservicepal.dll'
286 - '\prvdmofcomp.dll'
287 - '\puiapi.dll'
288 - '\radcui.dll'
289 - '\rasapi32.dll'
290 - '\rasdlg.dll'
291 - '\rasgcw.dll'
292 - '\rasman.dll'
293 - '\rasmontr.dll'
294 - '\reagent.dll'
295 - '\regapi.dll'
296 - '\reseteng.dll'
297 - '\resetengine.dll'
298 - '\resutils.dll'
299 - '\rmclient.dll'
300 - '\rpcnsh.dll'
301 - '\rsaenh.dll'
302 - '\rtutils.dll'
303 - '\rtworkq.dll'
304 - '\samcli.dll'
305 - '\samlib.dll'
306 - '\sapi_onecore.dll'
307 - '\sas.dll'
308 - '\scansetting.dll'
309 - '\scecli.dll'
310 - '\schedcli.dll'
311 - '\secur32.dll'
312 - '\security.dll'
313 - '\sensapi.dll'
314 - '\shell32.dll'
315 - '\shfolder.dll'
316 - '\slc.dll'
317 - '\snmpapi.dll'
318 - '\spectrumsyncclient.dll'
319 - '\spp.dll'
320 - '\sppc.dll'
321 - '\sppcext.dll'
322 - '\srclient.dll'
323 - '\srcore.dll'
324 - '\srmtrace.dll'
325 - '\srpapi.dll'
326 - '\srvcli.dll'
327 - '\ssp_isv.exe_rsaenh.dll'
328 - '\ssp.exe_rsaenh.dll'
329 - '\sspicli.dll'
330 - '\ssshim.dll'
331 - '\staterepository.core.dll'
332 - '\structuredquery.dll'
333 - '\sxshared.dll'
334 - '\systemsettingsthresholdadminflowui.dll'
335 - '\tapi32.dll'
336 - '\tbs.dll'
337 - '\tdh.dll'
338 - '\textshaping.dll'
339 - '\timesync.dll'
340 - '\tpmcoreprovisioning.dll'
341 - '\tquery.dll'
342 - '\tsworkspace.dll'
343 - '\ttdrecord.dll'
344 - '\twext.dll'
345 - '\twinapi.dll'
346 - '\twinui.appcore.dll'
347 - '\uianimation.dll'
348 - '\uiautomationcore.dll'
349 - '\uireng.dll'
350 - '\uiribbon.dll'
351 - '\umpdc.dll'
352 - '\unattend.dll'
353 - '\updatepolicy.dll'
354 - '\upshared.dll'
355 - '\urlmon.dll'
356 - '\userenv.dll'
357 - '\utildll.dll'
358 - '\uxinit.dll'
359 - '\uxtheme.dll'
360 - '\vaultcli.dll'
361 - '\vdsutil.dll'
362 - '\version.dll'
363 - '\virtdisk.dll'
364 - '\vssapi.dll'
365 - '\vsstrace.dll'
366 - '\wbemprox.dll'
367 - '\wbemsvc.dll'
368 - '\wcmapi.dll'
369 - '\wcnnetsh.dll'
370 - '\wdi.dll'
371 - '\wdscore.dll'
372 - '\webservices.dll'
373 - '\wecapi.dll'
374 - '\wer.dll'
375 - '\wevtapi.dll'
376 - '\whhelper.dll'
377 - '\wimgapi.dll'
378 - '\winbio.dll'
379 - '\winbrand.dll'
380 - '\windows.storage.dll'
381 - '\windows.storage.search.dll'
382 - '\windows.ui.immersive.dll'
383 - '\windowscodecs.dll'
384 - '\windowscodecsext.dll'
385 - '\windowsudk.shellcommon.dll'
386 - '\winhttp.dll'
387 - '\wininet.dll'
388 - '\winipsec.dll'
389 - '\winmde.dll'
390 - '\winmm.dll'
391 - '\winnsi.dll'
392 - '\winrnr.dll'
393 - '\winscard.dll'
394 - '\winsqlite3.dll'
395 - '\winsta.dll'
396 - '\winsync.dll'
397 - '\wkscli.dll'
398 - '\wlanapi.dll'
399 - '\wlancfg.dll'
400 - '\wldp.dll'
401 - '\wlidprov.dll'
402 - '\wmiclnt.dll'
403 - '\wmidcom.dll'
404 - '\wmiutils.dll'
405 - '\wmpdui.dll'
406 - '\wmsgapi.dll'
407 - '\wofutil.dll'
408 - '\wpdshext.dll'
409 - '\wscapi.dll'
410 - '\wsdapi.dll'
411 - '\wshbth.dll'
412 - '\wshelper.dll'
413 - '\wsmsvc.dll'
414 - '\wtsapi32.dll'
415 - '\wwancfg.dll'
416 - '\wwapi.dll'
417 - '\xmllite.dll'
418 - '\xolehlp.dll'
419 - '\xpsservices.dll'
420 - '\xwizards.dll'
421 - '\xwtpw32.dll'
422 # From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md
423 - '\amsi.dll'
424 - '\appraiser.dll'
425 - '\COMRES.DLL'
426 - '\cryptnet.dll'
427 - '\DispBroker.dll'
428 - '\dsound.dll'
429 - '\dxilconv.dll'
430 - '\FxsCompose.dll'
431 - '\FXSRESM.DLL'
432 - '\msdtcVSp1res.dll'
433 - '\PrintIsolationProxy.dll'
434 - '\rdpendp.dll'
435 - '\rpchttp.dll'
436 - '\storageusage.dll'
437 - '\utcutil.dll'
438 - '\WfsR.dll'
439 # The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)
440 - '\igd10iumd64.dll'
441 - '\igd12umd64.dll'
442 - '\igdumdim64.dll'
443 - '\igdusc64.dll'
444 # Other
445 - '\TSMSISrv.dll'
446 - '\TSVIPSrv.dll'
447 - '\wbemcomn.dll'
448 - '\WLBSCTRL.dll'
449 - '\wow64log.dll'
450 - '\WptsExtensions.dll'
451 filter_main_generic:
452 # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
453 ImageLoaded|contains:
454 - 'C:\$WINDOWS.~BT\'
455 - 'C:\$WinREAgent\'
456 - 'C:\Windows\SoftwareDistribution\'
457 - 'C:\Windows\System32\'
458 - 'C:\Windows\SystemTemp\'
459 - 'C:\Windows\SysWOW64\'
460 - 'C:\Windows\WinSxS\'
461 filter_main_dot_net:
462 ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
463 ImageLoaded|endswith: '\cscui.dll'
464 filter_main_defender:
465 ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
466 ImageLoaded|endswith: '\version.dll'
467 filter_main_directx:
468 ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
469 ImageLoaded|endswith: '\d3dx9_43.dll'
470 filter_optional_exchange:
471 ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
472 ImageLoaded|endswith: '\mswb7.dll'
473 filter_optional_arsenal_image_mounter:
474 ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
475 ImageLoaded|endswith:
476 - '\mi.dll'
477 - '\miutils.dl'
478 filter_optional_office_appvpolicy:
479 Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
480 ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
481 filter_optional_azure:
482 ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
483 filter_optional_dell:
484 Image|contains:
485 - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
486 - 'C:\Windows\System32\backgroundTaskHost.exe'
487 ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
488 filter_optional_dell_wldp:
489 Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
490 Image|endswith: '\wldp.dll'
491 filter_optional_checkpoint:
492 Image|startswith:
493 - 'C:\Program Files\CheckPoint\'
494 - 'C:\Program Files (x86)\CheckPoint\'
495 Image|endswith: '\SmartConsole.exe'
496 ImageLoaded|startswith:
497 - 'C:\Program Files\CheckPoint\'
498 - 'C:\Program Files (x86)\CheckPoint\'
499 ImageLoaded|endswith: '\PolicyManager.dll'
500 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
501falsepositives:
502 - Legitimate applications loading their own versions of the DLLs mentioned in this rule
503level: high
References
-
HijackLibs provides an curated list of DLL Hijacking candidates: mappings between DLLs and vulnerable executables, with additional metadata for more context. For defenders, this project can provide valuable information when trying to detect DLL Hijacking attempts; for red teamers, this project can help identify DLLs that can be used to achieve DLL Hijacking.
Read More -
Read Cyble Research Lab's analysis of a recent Oakboat variant that leverages DLL-Sideloading to infect its victims.
Read More -
Cyble Analyzes how Threat Actors are leveraging Microsoft applications and DLL Sideloading to deliver Cobalt Strike Beacons
Read More -
-
When you execute 32-bit version of runonce.exe on a 64-bit version of Windows and pass to it the /RunOnceEx6432 argument you will make the program load iernonce.dll library and execute its RunOnceE...
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Sideloading Of ShellChromeAPI.DLL
- Microsoft Office DLL Sideload
- Potential 7za.DLL Sideloading
- Potential Antivirus Software DLL Sideloading