Potential System DLL Sideloading From Non System Locations
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
Sigma rule (View on GitHub)
1title: Potential System DLL Sideloading From Non System Locations
2id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
3status: experimental
4description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
5references:
6 - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
7 - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
8 - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
9 - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
10 - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/08/14
13modified: 2024/03/11
14tags:
15 - attack.defense_evasion
16 - attack.persistence
17 - attack.privilege_escalation
18 - attack.t1574.001
19 - attack.t1574.002
20logsource:
21 category: image_load
22 product: windows
23detection:
24 selection:
25 ImageLoaded|endswith:
26 - '\shfolder.dll'
27 - '\activeds.dll'
28 - '\adsldpc.dll'
29 - '\aepic.dll'
30 - '\apphelp.dll'
31 - '\applicationframe.dll'
32 - '\appxalluserstore.dll'
33 - '\appxdeploymentclient.dll'
34 - '\archiveint.dll'
35 - '\atl.dll'
36 - '\audioses.dll'
37 - '\auditpolcore.dll'
38 - '\authfwcfg.dll'
39 - '\authz.dll'
40 - '\avrt.dll'
41 - '\bcd.dll'
42 - '\bcp47langs.dll'
43 - '\bcp47mrm.dll'
44 - '\bcrypt.dll'
45 - '\cabinet.dll'
46 - '\cabview.dll'
47 - '\certenroll.dll'
48 - '\cldapi.dll'
49 - '\clipc.dll'
50 - '\clusapi.dll'
51 - '\cmpbk32.dll'
52 - '\coloradapterclient.dll'
53 - '\colorui.dll'
54 - '\comdlg32.dll'
55 - '\connect.dll'
56 - '\coremessaging.dll'
57 - '\credui.dll'
58 - '\cryptbase.dll'
59 - '\cryptdll.dll'
60 - '\cryptui.dll'
61 - '\cryptxml.dll'
62 - '\cscapi.dll'
63 - '\cscobj.dll'
64 - '\cscui.dll'
65 - '\d2d1.dll'
66 - '\d3d10.dll'
67 - '\d3d10_1.dll'
68 - '\d3d10_1core.dll'
69 - '\d3d10core.dll'
70 - '\d3d10warp.dll'
71 - '\d3d11.dll'
72 - '\d3d12.dll'
73 - '\d3d9.dll'
74 - '\dataexchange.dll'
75 - '\davclnt.dll'
76 - '\dcomp.dll'
77 - '\defragproxy.dll'
78 - '\desktopshellext.dll'
79 - '\deviceassociation.dll'
80 - '\devicecredential.dll'
81 - '\devicepairing.dll'
82 - '\devobj.dll'
83 - '\devrtl.dll'
84 - '\dhcpcmonitor.dll'
85 - '\dhcpcsvc.dll'
86 - '\dhcpcsvc6.dll'
87 - '\directmanipulation.dll'
88 - '\dismapi.dll'
89 - '\dismcore.dll'
90 - '\dmcfgutils.dll'
91 - '\dmcmnutils.dll'
92 - '\dmenrollengine.dll'
93 - '\dmenterprisediagnostics.dll'
94 - '\dmiso8601utils.dll'
95 - '\dmoleaututils.dll'
96 - '\dmprocessxmlfiltered.dll'
97 - '\dmpushproxy.dll'
98 - '\dmxmlhelputils.dll'
99 - '\dnsapi.dll'
100 - '\dot3api.dll'
101 - '\dot3cfg.dll'
102 - '\drprov.dll'
103 - '\dsclient.dll'
104 - '\dsparse.dll'
105 - '\dsreg.dll'
106 - '\dsrole.dll'
107 - '\dui70.dll'
108 - '\duser.dll'
109 - '\dusmapi.dll'
110 - '\dwmapi.dll'
111 - '\dwrite.dll'
112 - '\dxgi.dll'
113 - '\dxva2.dll'
114 - '\eappcfg.dll'
115 - '\eappprxy.dll'
116 - '\edputil.dll'
117 - '\efsadu.dll'
118 - '\efsutil.dll'
119 - '\esent.dll'
120 - '\execmodelproxy.dll'
121 - '\explorerframe.dll'
122 - '\fastprox.dll'
123 - '\faultrep.dll'
124 - '\fddevquery.dll'
125 - '\feclient.dll'
126 - '\fhcfg.dll'
127 - '\firewallapi.dll'
128 - '\flightsettings.dll'
129 - '\fltlib.dll'
130 - '\fveapi.dll'
131 - '\fwbase.dll'
132 - '\fwcfg.dll'
133 - '\fwpolicyiomgr.dll'
134 - '\fwpuclnt.dll'
135 - '\getuname.dll'
136 - '\hid.dll'
137 - '\hnetmon.dll'
138 - '\httpapi.dll'
139 - '\idstore.dll'
140 - '\ieadvpack.dll'
141 - '\iedkcs32.dll'
142 - '\iernonce.dll'
143 - '\iertutil.dll'
144 - '\ifmon.dll'
145 - '\iphlpapi.dll'
146 - '\iri.dll'
147 - '\iscsidsc.dll'
148 - '\iscsium.dll'
149 - '\isv.exe_rsaenh.dll'
150 - '\joinutil.dll'
151 - '\ksuser.dll'
152 - '\ktmw32.dll'
153 - '\licensemanagerapi.dll'
154 - '\licensingdiagspp.dll'
155 - '\linkinfo.dll'
156 - '\loadperf.dll'
157 - '\logoncli.dll'
158 - '\logoncontroller.dll'
159 - '\lpksetupproxyserv.dll'
160 - '\magnification.dll'
161 - '\mapistub.dll'
162 - '\mfcore.dll'
163 - '\mfplat.dll'
164 - '\mi.dll'
165 - '\midimap.dll'
166 - '\miutils.dll'
167 - '\mlang.dll'
168 - '\mmdevapi.dll'
169 - '\mobilenetworking.dll'
170 - '\mpr.dll'
171 - '\mprapi.dll'
172 - '\mrmcorer.dll'
173 - '\msacm32.dll'
174 - '\mscms.dll'
175 - '\mscoree.dll'
176 - '\msctf.dll'
177 - '\msctfmonitor.dll'
178 - '\msdrm.dll'
179 - '\msftedit.dll'
180 - '\msi.dll'
181 - '\msutb.dll'
182 - '\mswb7.dll'
183 - '\mswsock.dll'
184 - '\msxml3.dll'
185 - '\mtxclu.dll'
186 - '\napinsp.dll'
187 - '\ncrypt.dll'
188 - '\ndfapi.dll'
189 - '\netid.dll'
190 - '\netiohlp.dll'
191 - '\netplwiz.dll'
192 - '\netprofm.dll'
193 - '\netsetupapi.dll'
194 - '\netshell.dll'
195 - '\netutils.dll'
196 - '\networkexplorer.dll'
197 - '\newdev.dll'
198 - '\ninput.dll'
199 - '\nlaapi.dll'
200 - '\nlansp_c.dll'
201 - '\npmproxy.dll'
202 - '\nshhttp.dll'
203 - '\nshipsec.dll'
204 - '\nshwfp.dll'
205 - '\ntdsapi.dll'
206 - '\ntlanman.dll'
207 - '\ntlmshared.dll'
208 - '\ntmarta.dll'
209 - '\ntshrui.dll'
210 - '\oleacc.dll'
211 - '\omadmapi.dll'
212 - '\onex.dll'
213 - '\osbaseln.dll'
214 - '\osuninst.dll'
215 - '\p2p.dll'
216 - '\p2pnetsh.dll'
217 - '\p9np.dll'
218 - '\pcaui.dll'
219 - '\pdh.dll'
220 - '\peerdistsh.dll'
221 - '\pla.dll'
222 - '\pnrpnsp.dll'
223 - '\policymanager.dll'
224 - '\polstore.dll'
225 - '\printui.dll'
226 - '\propsys.dll'
227 - '\prvdmofcomp.dll'
228 - '\puiapi.dll'
229 - '\radcui.dll'
230 - '\rasapi32.dll'
231 - '\rasgcw.dll'
232 - '\rasman.dll'
233 - '\rasmontr.dll'
234 - '\reagent.dll'
235 - '\regapi.dll'
236 - '\resutils.dll'
237 - '\rmclient.dll'
238 - '\rpcnsh.dll'
239 - '\rsaenh.dll'
240 - '\rtutils.dll'
241 - '\rtworkq.dll'
242 - '\samcli.dll'
243 - '\samlib.dll'
244 - '\sapi_onecore.dll'
245 - '\sas.dll'
246 - '\scansetting.dll'
247 - '\scecli.dll'
248 - '\schedcli.dll'
249 - '\secur32.dll'
250 - '\shell32.dll'
251 - '\slc.dll'
252 - '\snmpapi.dll'
253 - '\spp.dll'
254 - '\sppc.dll'
255 - '\srclient.dll'
256 - '\srpapi.dll'
257 - '\srvcli.dll'
258 - '\ssp.exe_rsaenh.dll'
259 - '\ssp_isv.exe_rsaenh.dll'
260 - '\sspicli.dll'
261 - '\ssshim.dll'
262 - '\staterepository.core.dll'
263 - '\structuredquery.dll'
264 - '\sxshared.dll'
265 - '\tapi32.dll'
266 - '\tbs.dll'
267 - '\tdh.dll'
268 - '\tquery.dll'
269 - '\tsworkspace.dll'
270 - '\ttdrecord.dll'
271 - '\twext.dll'
272 - '\twinapi.dll'
273 - '\twinui.appcore.dll'
274 - '\uianimation.dll'
275 - '\uiautomationcore.dll'
276 - '\uireng.dll'
277 - '\uiribbon.dll'
278 - '\updatepolicy.dll'
279 - '\userenv.dll'
280 - '\utildll.dll'
281 - '\uxinit.dll'
282 - '\uxtheme.dll'
283 - '\vaultcli.dll'
284 - '\virtdisk.dll'
285 - '\vssapi.dll'
286 - '\vsstrace.dll'
287 - '\wbemprox.dll'
288 - '\wbemsvc.dll'
289 - '\wcmapi.dll'
290 - '\wcnnetsh.dll'
291 - '\wdi.dll'
292 - '\wdscore.dll'
293 - '\webservices.dll'
294 - '\wecapi.dll'
295 - '\wer.dll'
296 - '\wevtapi.dll'
297 - '\whhelper.dll'
298 - '\wimgapi.dll'
299 - '\winbrand.dll'
300 - '\windows.storage.dll'
301 - '\windows.storage.search.dll'
302 - '\windowscodecs.dll'
303 - '\windowscodecsext.dll'
304 - '\windowsudk.shellcommon.dll'
305 - '\winhttp.dll'
306 - '\wininet.dll'
307 - '\winipsec.dll'
308 - '\winmde.dll'
309 - '\winmm.dll'
310 - '\winnsi.dll'
311 - '\winrnr.dll'
312 - '\winsqlite3.dll'
313 - '\winsta.dll'
314 - '\wkscli.dll'
315 - '\wlanapi.dll'
316 - '\wlancfg.dll'
317 - '\wldp.dll'
318 - '\wlidprov.dll'
319 - '\wmiclnt.dll'
320 - '\wmidcom.dll'
321 - '\wmiutils.dll'
322 - '\wmsgapi.dll'
323 - '\wofutil.dll'
324 - '\wpdshext.dll'
325 - '\wshbth.dll'
326 - '\wshelper.dll'
327 - '\wtsapi32.dll'
328 - '\wwapi.dll'
329 - '\xmllite.dll'
330 - '\xolehlp.dll'
331 - '\xwizards.dll'
332 - '\xwtpw32.dll'
333 - '\aclui.dll'
334 - '\bderepair.dll'
335 - '\bootmenuux.dll'
336 - '\dcntel.dll'
337 - '\dwmcore.dll'
338 - '\dynamoapi.dll'
339 - '\fhsvcctl.dll'
340 - '\fxsst.dll'
341 - '\inproclogger.dll'
342 - '\iumbase.dll'
343 - '\kdstub.dll'
344 - '\maintenanceui.dll'
345 - '\mdmdiagnostics.dll'
346 - '\mintdh.dll'
347 - '\msdtctm.dll'
348 - '\nettrace.dll'
349 - '\osksupport.dll'
350 - '\reseteng.dll'
351 - '\resetengine.dll'
352 - '\spectrumsyncclient.dll'
353 - '\srcore.dll'
354 - '\systemsettingsthresholdadminflowui.dll'
355 - '\timesync.dll'
356 - '\upshared.dll'
357 - '\wmpdui.dll'
358 - '\wwancfg.dll'
359 - '\dpx.dll'
360 - '\fxsapi.dll'
361 - '\fxstiff.dll'
362 - '\xpsservices.dll'
363 - '\appvpolicy.dll'
364 - '\batmeter.dll'
365 - '\bootux.dll'
366 - '\cmutil.dll'
367 - '\configmanager2.dll'
368 - '\coredplus.dll'
369 - '\coreuicomponents.dll'
370 - '\cryptsp.dll'
371 - '\dmcommandlineutils.dll'
372 - '\drvstore.dll'
373 - '\dsprop.dll'
374 - '\dxcore.dll'
375 - '\edgeiso.dll'
376 - '\framedynos.dll'
377 - '\fveskybackup.dll'
378 - '\fvewiz.dll'
379 - '\gpapi.dll'
380 - '\icmp.dll'
381 - '\ifsutil.dll'
382 - '\iumsdk.dll'
383 - '\lockhostingframework.dll'
384 - '\lrwizdll.dll'
385 - '\mbaexmlparser.dll'
386 - '\mfc42u.dll'
387 - '\msiso.dll'
388 - '\msvcp110_win.dll'
389 - '\netapi32.dll'
390 - '\netjoin.dll'
391 - '\netprovfw.dll'
392 - '\opcservices.dll'
393 - '\pkeyhelper.dll'
394 - '\playsndsrv.dll'
395 - '\powrprof.dll'
396 - '\prntvpt.dll'
397 - '\profapi.dll'
398 - '\proximitycommon.dll'
399 - '\proximityservicepal.dll'
400 - '\rasdlg.dll'
401 - '\security.dll'
402 - '\sppcext.dll'
403 - '\srmtrace.dll'
404 - '\tpmcoreprovisioning.dll'
405 - '\umpdc.dll'
406 - '\unattend.dll'
407 - '\urlmon.dll'
408 - '\vdsutil.dll'
409 - '\version.dll'
410 - '\winbio.dll'
411 - '\windows.ui.immersive.dll'
412 - '\winscard.dll'
413 - '\winsync.dll'
414 - '\wscapi.dll'
415 - '\wsmsvc.dll'
416 # From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md
417 - '\FxsCompose.dll'
418 - '\WfsR.dll'
419 - '\rpchttp.dll'
420 - '\storageusage.dll'
421 - '\amsi.dll'
422 - '\PrintIsolationProxy.dll'
423 - '\msdtcVSp1res.dll'
424 - '\rdpendp.dll'
425 - '\dxilconv.dll'
426 - '\utcutil.dll'
427 - '\appraiser.dll'
428 - '\dsound.dll'
429 - '\DispBroker.dll'
430 - '\FXSRESM.DLL'
431 - '\cryptnet.dll'
432 - '\COMRES.DLL'
433 # The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)
434 - '\igdumdim64.dll'
435 - '\igd10iumd64.dll'
436 - '\igd12umd64.dll'
437 - '\igdusc64.dll'
438 # Other
439 - '\WLBSCTRL.dll'
440 - '\TSMSISrv.dll'
441 - '\TSVIPSrv.dll'
442 - '\wow64log.dll'
443 - '\WptsExtensions.dll'
444 - '\wbemcomn.dll'
445 filter_main_generic:
446 # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
447 ImageLoaded|contains:
448 - 'C:\$WINDOWS.~BT\'
449 - 'C:\$WinREAgent\'
450 - 'C:\Windows\SoftwareDistribution\'
451 - 'C:\Windows\System32\'
452 - 'C:\Windows\SystemTemp\'
453 - 'C:\Windows\SysWOW64\'
454 - 'C:\Windows\WinSxS\'
455 filter_main_dot_net:
456 ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
457 ImageLoaded|endswith: '\cscui.dll'
458 filter_main_defender:
459 ImageLoaded|contains: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
460 ImageLoaded|endswith: '\version.dll'
461 filter_optional_exchange:
462 ImageLoaded|contains: 'C:\Program Files\Microsoft\Exchange Server\'
463 ImageLoaded|endswith: '\mswb7.dll'
464 filter_optional_arsenal_image_mounter:
465 ImageLoaded|contains: 'C:\Program Files\Arsenal-Image-Mounter-'
466 ImageLoaded|endswith:
467 - '\mi.dll'
468 - '\miutils.dl'
469 filter_optional_office_appvpolicy:
470 Image|endswith: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
471 ImageLoaded|endswith: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
472 filter_optional_azure:
473 ImageLoaded|contains: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
474 filter_optional_dell:
475 Image|contains:
476 - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
477 - 'C:\Windows\System32\backgroundTaskHost.exe'
478 ImageLoaded|contains: ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
479 filter_optional_dell_wldp:
480 Image|contains: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
481 Image|endswith: '\wldp.dll'
482 filter_optional_checkpoint:
483 Image|contains:
484 - 'C:\Program Files\CheckPoint\'
485 - 'C:\Program Files (x86)\CheckPoint\'
486 Image|endswith: '\SmartConsole.exe'
487 ImageLoaded|contains:
488 - 'C:\Program Files\CheckPoint\'
489 - 'C:\Program Files (x86)\CheckPoint\'
490 ImageLoaded|endswith: '\PolicyManager.dll'
491 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
492falsepositives:
493 - Legitimate applications loading their own versions of the DLLs mentioned in this rule
494level: high
References
-
HijackLibs provides an curated list of DLL Hijacking candidates: mappings between DLLs and vulnerable executables, with additional metadata for more context. For defenders, this project can provide valuable information when trying to detect DLL Hijacking attempts; for red teamers, this project can help identify DLLs that can be used to achieve DLL Hijacking.
Read More -
Read Cyble Research Lab's analysis of a recent Oakboat variant that leverages DLL-Sideloading to infect its victims.
Read More -
Cyble Analyzes how Threat Actors are leveraging Microsoft applications and DLL Sideloading to deliver Cobalt Strike Beacons
Read More -
-
When you execute 32-bit version of runonce.exe on a 64-bit version of Windows and pass to it the /RunOnceEx6432 argument you will make the program load iernonce.dll library and execute its RunOnceE...
Read More
Related rules
- Potential DLL Sideloading Of DBGCORE.DLL
- Potential DLL Sideloading Of DBGHELP.DLL
- Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
- Potential Libvlc.DLL Sideloading
- Microsoft Office DLL Sideload