Potential System DLL Sideloading From Non System Locations
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)
Sigma rule (View on GitHub)
1title: Potential System DLL Sideloading From Non System Locations
2id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
3status: experimental
4description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)
5references:
6 - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
7 - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
8 - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
9 - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/08/14
12modified: 2023/10/24
13tags:
14 - attack.defense_evasion
15 - attack.persistence
16 - attack.privilege_escalation
17 - attack.t1574.001
18 - attack.t1574.002
19logsource:
20 category: image_load
21 product: windows
22detection:
23 selection:
24 ImageLoaded|endswith:
25 - '\shfolder.dll'
26 - '\activeds.dll'
27 - '\adsldpc.dll'
28 - '\aepic.dll'
29 - '\apphelp.dll'
30 - '\applicationframe.dll'
31 - '\appxalluserstore.dll'
32 - '\appxdeploymentclient.dll'
33 - '\archiveint.dll'
34 - '\atl.dll'
35 - '\audioses.dll'
36 - '\auditpolcore.dll'
37 - '\authfwcfg.dll'
38 - '\authz.dll'
39 - '\avrt.dll'
40 - '\bcd.dll'
41 - '\bcp47langs.dll'
42 - '\bcp47mrm.dll'
43 - '\bcrypt.dll'
44 - '\cabinet.dll'
45 - '\cabview.dll'
46 - '\certenroll.dll'
47 - '\cldapi.dll'
48 - '\clipc.dll'
49 - '\clusapi.dll'
50 - '\cmpbk32.dll'
51 - '\coloradapterclient.dll'
52 - '\colorui.dll'
53 - '\comdlg32.dll'
54 - '\connect.dll'
55 - '\coremessaging.dll'
56 - '\credui.dll'
57 - '\cryptbase.dll'
58 - '\cryptdll.dll'
59 - '\cryptui.dll'
60 - '\cryptxml.dll'
61 - '\cscapi.dll'
62 - '\cscobj.dll'
63 - '\cscui.dll'
64 - '\d2d1.dll'
65 - '\d3d10.dll'
66 - '\d3d10_1.dll'
67 - '\d3d10_1core.dll'
68 - '\d3d10core.dll'
69 - '\d3d10warp.dll'
70 - '\d3d11.dll'
71 - '\d3d12.dll'
72 - '\d3d9.dll'
73 - '\dataexchange.dll'
74 - '\davclnt.dll'
75 - '\dcomp.dll'
76 - '\defragproxy.dll'
77 - '\desktopshellext.dll'
78 - '\deviceassociation.dll'
79 - '\devicecredential.dll'
80 - '\devicepairing.dll'
81 - '\devobj.dll'
82 - '\devrtl.dll'
83 - '\dhcpcmonitor.dll'
84 - '\dhcpcsvc.dll'
85 - '\dhcpcsvc6.dll'
86 - '\directmanipulation.dll'
87 - '\dismapi.dll'
88 - '\dismcore.dll'
89 - '\dmcfgutils.dll'
90 - '\dmcmnutils.dll'
91 - '\dmenrollengine.dll'
92 - '\dmenterprisediagnostics.dll'
93 - '\dmiso8601utils.dll'
94 - '\dmoleaututils.dll'
95 - '\dmprocessxmlfiltered.dll'
96 - '\dmpushproxy.dll'
97 - '\dmxmlhelputils.dll'
98 - '\dnsapi.dll'
99 - '\dot3api.dll'
100 - '\dot3cfg.dll'
101 - '\drprov.dll'
102 - '\dsclient.dll'
103 - '\dsparse.dll'
104 - '\dsreg.dll'
105 - '\dsrole.dll'
106 - '\dui70.dll'
107 - '\duser.dll'
108 - '\dusmapi.dll'
109 - '\dwmapi.dll'
110 - '\dwrite.dll'
111 - '\dxgi.dll'
112 - '\dxva2.dll'
113 - '\eappcfg.dll'
114 - '\eappprxy.dll'
115 - '\edputil.dll'
116 - '\efsadu.dll'
117 - '\efsutil.dll'
118 - '\esent.dll'
119 - '\execmodelproxy.dll'
120 - '\explorerframe.dll'
121 - '\fastprox.dll'
122 - '\faultrep.dll'
123 - '\fddevquery.dll'
124 - '\feclient.dll'
125 - '\fhcfg.dll'
126 - '\firewallapi.dll'
127 - '\flightsettings.dll'
128 - '\fltlib.dll'
129 - '\fveapi.dll'
130 - '\fwbase.dll'
131 - '\fwcfg.dll'
132 - '\fwpolicyiomgr.dll'
133 - '\fwpuclnt.dll'
134 - '\getuname.dll'
135 - '\hid.dll'
136 - '\hnetmon.dll'
137 - '\httpapi.dll'
138 - '\idstore.dll'
139 - '\ieadvpack.dll'
140 - '\iedkcs32.dll'
141 - '\iertutil.dll'
142 - '\ifmon.dll'
143 - '\iphlpapi.dll'
144 - '\iri.dll'
145 - '\iscsidsc.dll'
146 - '\iscsium.dll'
147 - '\isv.exe_rsaenh.dll'
148 - '\joinutil.dll'
149 - '\ksuser.dll'
150 - '\ktmw32.dll'
151 - '\licensemanagerapi.dll'
152 - '\licensingdiagspp.dll'
153 - '\linkinfo.dll'
154 - '\loadperf.dll'
155 - '\logoncli.dll'
156 - '\logoncontroller.dll'
157 - '\lpksetupproxyserv.dll'
158 - '\magnification.dll'
159 - '\mapistub.dll'
160 - '\mfcore.dll'
161 - '\mfplat.dll'
162 - '\mi.dll'
163 - '\midimap.dll'
164 - '\miutils.dll'
165 - '\mlang.dll'
166 - '\mmdevapi.dll'
167 - '\mobilenetworking.dll'
168 - '\mpr.dll'
169 - '\mprapi.dll'
170 - '\mrmcorer.dll'
171 - '\msacm32.dll'
172 - '\mscms.dll'
173 - '\mscoree.dll'
174 - '\msctf.dll'
175 - '\msctfmonitor.dll'
176 - '\msdrm.dll'
177 - '\msftedit.dll'
178 - '\msi.dll'
179 - '\msutb.dll'
180 - '\mswb7.dll'
181 - '\mswsock.dll'
182 - '\msxml3.dll'
183 - '\mtxclu.dll'
184 - '\napinsp.dll'
185 - '\ncrypt.dll'
186 - '\ndfapi.dll'
187 - '\netid.dll'
188 - '\netiohlp.dll'
189 - '\netplwiz.dll'
190 - '\netprofm.dll'
191 - '\netsetupapi.dll'
192 - '\netshell.dll'
193 - '\netutils.dll'
194 - '\networkexplorer.dll'
195 - '\newdev.dll'
196 - '\ninput.dll'
197 - '\nlaapi.dll'
198 - '\nlansp_c.dll'
199 - '\npmproxy.dll'
200 - '\nshhttp.dll'
201 - '\nshipsec.dll'
202 - '\nshwfp.dll'
203 - '\ntdsapi.dll'
204 - '\ntlanman.dll'
205 - '\ntlmshared.dll'
206 - '\ntmarta.dll'
207 - '\ntshrui.dll'
208 - '\oleacc.dll'
209 - '\omadmapi.dll'
210 - '\onex.dll'
211 - '\osbaseln.dll'
212 - '\osuninst.dll'
213 - '\p2p.dll'
214 - '\p2pnetsh.dll'
215 - '\p9np.dll'
216 - '\pcaui.dll'
217 - '\pdh.dll'
218 - '\peerdistsh.dll'
219 - '\pla.dll'
220 - '\pnrpnsp.dll'
221 - '\policymanager.dll'
222 - '\polstore.dll'
223 - '\printui.dll'
224 - '\propsys.dll'
225 - '\prvdmofcomp.dll'
226 - '\puiapi.dll'
227 - '\radcui.dll'
228 - '\rasapi32.dll'
229 - '\rasgcw.dll'
230 - '\rasman.dll'
231 - '\rasmontr.dll'
232 - '\reagent.dll'
233 - '\regapi.dll'
234 - '\resutils.dll'
235 - '\rmclient.dll'
236 - '\rpcnsh.dll'
237 - '\rsaenh.dll'
238 - '\rtutils.dll'
239 - '\rtworkq.dll'
240 - '\samcli.dll'
241 - '\samlib.dll'
242 - '\sapi_onecore.dll'
243 - '\sas.dll'
244 - '\scansetting.dll'
245 - '\scecli.dll'
246 - '\schedcli.dll'
247 - '\secur32.dll'
248 - '\shell32.dll'
249 - '\slc.dll'
250 - '\snmpapi.dll'
251 - '\spp.dll'
252 - '\sppc.dll'
253 - '\srclient.dll'
254 - '\srpapi.dll'
255 - '\srvcli.dll'
256 - '\ssp.exe_rsaenh.dll'
257 - '\ssp_isv.exe_rsaenh.dll'
258 - '\sspicli.dll'
259 - '\ssshim.dll'
260 - '\staterepository.core.dll'
261 - '\structuredquery.dll'
262 - '\sxshared.dll'
263 - '\tapi32.dll'
264 - '\tbs.dll'
265 - '\tdh.dll'
266 - '\tquery.dll'
267 - '\tsworkspace.dll'
268 - '\ttdrecord.dll'
269 - '\twext.dll'
270 - '\twinapi.dll'
271 - '\twinui.appcore.dll'
272 - '\uianimation.dll'
273 - '\uiautomationcore.dll'
274 - '\uireng.dll'
275 - '\uiribbon.dll'
276 - '\updatepolicy.dll'
277 - '\userenv.dll'
278 - '\utildll.dll'
279 - '\uxinit.dll'
280 - '\uxtheme.dll'
281 - '\vaultcli.dll'
282 - '\virtdisk.dll'
283 - '\vssapi.dll'
284 - '\vsstrace.dll'
285 - '\wbemprox.dll'
286 - '\wbemsvc.dll'
287 - '\wcmapi.dll'
288 - '\wcnnetsh.dll'
289 - '\wdi.dll'
290 - '\wdscore.dll'
291 - '\webservices.dll'
292 - '\wecapi.dll'
293 - '\wer.dll'
294 - '\wevtapi.dll'
295 - '\whhelper.dll'
296 - '\wimgapi.dll'
297 - '\winbrand.dll'
298 - '\windows.storage.dll'
299 - '\windows.storage.search.dll'
300 - '\windowscodecs.dll'
301 - '\windowscodecsext.dll'
302 - '\windowsudk.shellcommon.dll'
303 - '\winhttp.dll'
304 - '\wininet.dll'
305 - '\winipsec.dll'
306 - '\winmde.dll'
307 - '\winmm.dll'
308 - '\winnsi.dll'
309 - '\winrnr.dll'
310 - '\winsqlite3.dll'
311 - '\winsta.dll'
312 - '\wkscli.dll'
313 - '\wlanapi.dll'
314 - '\wlancfg.dll'
315 - '\wldp.dll'
316 - '\wlidprov.dll'
317 - '\wmiclnt.dll'
318 - '\wmidcom.dll'
319 - '\wmiutils.dll'
320 - '\wmsgapi.dll'
321 - '\wofutil.dll'
322 - '\wpdshext.dll'
323 - '\wshbth.dll'
324 - '\wshelper.dll'
325 - '\wtsapi32.dll'
326 - '\wwapi.dll'
327 - '\xmllite.dll'
328 - '\xolehlp.dll'
329 - '\xwizards.dll'
330 - '\xwtpw32.dll'
331 - '\aclui.dll'
332 - '\bderepair.dll'
333 - '\bootmenuux.dll'
334 - '\dcntel.dll'
335 - '\dwmcore.dll'
336 - '\dynamoapi.dll'
337 - '\fhsvcctl.dll'
338 - '\fxsst.dll'
339 - '\inproclogger.dll'
340 - '\iumbase.dll'
341 - '\kdstub.dll'
342 - '\maintenanceui.dll'
343 - '\mdmdiagnostics.dll'
344 - '\mintdh.dll'
345 - '\msdtctm.dll'
346 - '\nettrace.dll'
347 - '\osksupport.dll'
348 - '\reseteng.dll'
349 - '\resetengine.dll'
350 - '\spectrumsyncclient.dll'
351 - '\srcore.dll'
352 - '\systemsettingsthresholdadminflowui.dll'
353 - '\timesync.dll'
354 - '\upshared.dll'
355 - '\wmpdui.dll'
356 - '\wwancfg.dll'
357 - '\dpx.dll'
358 - '\fxsapi.dll'
359 - '\fxstiff.dll'
360 - '\xpsservices.dll'
361 - '\appvpolicy.dll'
362 - '\batmeter.dll'
363 - '\bootux.dll'
364 - '\cmutil.dll'
365 - '\configmanager2.dll'
366 - '\coredplus.dll'
367 - '\coreuicomponents.dll'
368 - '\cryptsp.dll'
369 - '\dmcommandlineutils.dll'
370 - '\drvstore.dll'
371 - '\dsprop.dll'
372 - '\dxcore.dll'
373 - '\edgeiso.dll'
374 - '\framedynos.dll'
375 - '\fveskybackup.dll'
376 - '\fvewiz.dll'
377 - '\gpapi.dll'
378 - '\icmp.dll'
379 - '\ifsutil.dll'
380 - '\iumsdk.dll'
381 - '\lockhostingframework.dll'
382 - '\lrwizdll.dll'
383 - '\mbaexmlparser.dll'
384 - '\mfc42u.dll'
385 - '\msiso.dll'
386 - '\msvcp110_win.dll'
387 - '\netapi32.dll'
388 - '\netjoin.dll'
389 - '\netprovfw.dll'
390 - '\opcservices.dll'
391 - '\pkeyhelper.dll'
392 - '\playsndsrv.dll'
393 - '\powrprof.dll'
394 - '\prntvpt.dll'
395 - '\profapi.dll'
396 - '\proximitycommon.dll'
397 - '\proximityservicepal.dll'
398 - '\rasdlg.dll'
399 - '\security.dll'
400 - '\sppcext.dll'
401 - '\srmtrace.dll'
402 - '\tpmcoreprovisioning.dll'
403 - '\umpdc.dll'
404 - '\unattend.dll'
405 - '\urlmon.dll'
406 - '\vdsutil.dll'
407 - '\version.dll'
408 - '\winbio.dll'
409 - '\windows.ui.immersive.dll'
410 - '\winscard.dll'
411 - '\winsync.dll'
412 - '\wscapi.dll'
413 - '\wsmsvc.dll'
414 # From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md
415 - '\FxsCompose.dll'
416 - '\WfsR.dll'
417 - '\rpchttp.dll'
418 - '\storageusage.dll'
419 - '\amsi.dll'
420 - '\PrintIsolationProxy.dll'
421 - '\msdtcVSp1res.dll'
422 - '\rdpendp.dll'
423 - '\dxilconv.dll'
424 - '\utcutil.dll'
425 - '\appraiser.dll'
426 - '\dsound.dll'
427 - '\DispBroker.dll'
428 - '\FXSRESM.DLL'
429 - '\cryptnet.dll'
430 - '\COMRES.DLL'
431 # The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)
432 - '\igdumdim64.dll'
433 - '\igd10iumd64.dll'
434 - '\igd12umd64.dll'
435 - '\igdusc64.dll'
436 # Other
437 - '\WLBSCTRL.dll'
438 - '\TSMSISrv.dll'
439 - '\TSVIPSrv.dll'
440 - '\wow64log.dll'
441 - '\WptsExtensions.dll'
442 - '\wbemcomn.dll'
443 filter_main_generic:
444 # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
445 ImageLoaded|startswith:
446 - 'C:\Windows\System32\'
447 - 'C:\Windows\SysWOW64\'
448 - 'C:\Windows\WinSxS\'
449 - 'C:\Windows\SoftwareDistribution\'
450 - 'C:\Windows\SystemTemp\'
451 - 'C:\$WINDOWS.~BT\'
452 filter_main_defender:
453 Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
454 Image|endswith: '\version.dll'
455 filter_optional_office_appvpolicy:
456 Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
457 ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
458 filter_optional_azure:
459 ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
460 filter_optional_dell:
461 Image|startswith:
462 - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
463 - 'C:\Windows\System32\backgroundTaskHost.exe'
464 ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
465 filter_optional_dell_wldp:
466 Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
467 Image|endswith: '\wldp.dll'
468 filter_optional_checkpoint:
469 Image|startswith:
470 - 'C:\Program Files\CheckPoint\'
471 - 'C:\Program Files (x86)\CheckPoint\'
472 Image|endswith: '\SmartConsole.exe'
473 ImageLoaded|startswith:
474 - 'C:\Program Files\CheckPoint\'
475 - 'C:\Program Files (x86)\CheckPoint\'
476 ImageLoaded|endswith: '\PolicyManager.dll'
477 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
478falsepositives:
479 - Legitimate applications loading their own versions of the DLLs mentioned in this rule
480level: high
References
-
What is DLL Hijacking? DLL Hijacking is, in the broadest sense, tricking a legitimate/trusted application into loading an arbitrary DLL. Defensive measures such as AV and EDR solutions may not pick...
Read More -
Read Cyble Research Lab's analysis of a recent Oakboat variant that leverages DLL-Sideloading to infect its victims.
Read More -
Cyble Analyzes how Threat Actors are leveraging Microsoft applications and DLL Sideloading to deliver Cobalt Strike Beacons
Read More -
Related rules
- Creation Of Non-Existent System DLL
- Third Party Software DLL Sideloading
- DLL Sideloading Of ShellChromeAPI.DLL
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Potential DLL Sideloading Via JsSchHlp