Potential Libvlc.DLL Sideloading
Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
Sigma rule (View on GitHub)
1title: Potential Libvlc.DLL Sideloading
2id: bf9808c4-d24f-44a2-8398-b65227d406b6
3status: test
4description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
5references:
6 - https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
7 - https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html
8author: X__Junior
9date: 2023-04-17
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1574.001
15 - attack.t1574.002
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection:
21 ImageLoaded|endswith: '\libvlc.dll'
22 filter_main_vlc:
23 ImageLoaded|startswith:
24 - 'C:\Program Files (x86)\VideoLAN\VLC\'
25 - 'C:\Program Files\VideoLAN\VLC\'
26 condition: selection and not 1 of filter_main_*
27falsepositives:
28 - False positives are expected if VLC is installed in non-default locations
29level: medium
References
-
After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were being used by Earth Preta. We also observed that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the other tools and malware used by the threat actor.
Read More -
Check out the entry for libvlc.dll on HijackLibs - it is loaded by applications vulnerable to DLL Hijacking!
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Sideloading Of ShellChromeAPI.DLL
- Microsoft Office DLL Sideload
- Potential 7za.DLL Sideloading
- Potential Antivirus Software DLL Sideloading