Potential DLL Sideloading Of Non-Existent DLLs From System Folders
Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders
2id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
3related:
4 - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule
5 type: similar
6 - id: 602a1f13-c640-4d73-b053-be9a2fa58b77
7 type: obsolete
8status: test
9description: |
10 Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories).
11 Usually this technique is used to achieve UAC bypass or privilege escalation.
12references:
13 - https://decoded.avast.io/martinchlumecky/png-steganography/
14 - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
15 - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
16 - https://github.com/Wh04m1001/SysmonEoP
17 - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
18 - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
19author: Nasreddine Bencherchali (Nextron Systems), SBousseaden
20date: 2022-12-09
21modified: 2024-01-10
22tags:
23 - attack.defense-evasion
24 - attack.persistence
25 - attack.privilege-escalation
26 - attack.t1574.001
27logsource:
28 category: image_load
29 product: windows
30detection:
31 selection:
32 ImageLoaded|endswith:
33 # Add other DLLs
34 - ':\Windows\System32\TSMSISrv.dll'
35 - ':\Windows\System32\TSVIPSrv.dll'
36 - ':\Windows\System32\wbem\wbemcomn.dll'
37 - ':\Windows\System32\WLBSCTRL.dll'
38 - ':\Windows\System32\wow64log.dll'
39 - ':\Windows\System32\WptsExtensions.dll'
40 filter_main_ms_signed:
41 Signed: 'true'
42 SignatureStatus: 'Valid'
43 # There could be other signatures (please add when found)
44 Signature: 'Microsoft Windows'
45 condition: selection and not 1 of filter_main_*
46falsepositives:
47 - Unknown
48level: high
References
-
Our deep analysis of the Worok toolset (previously described by ESET Research) reveals the final stage, hidden in a PNG file, that steals data and provides a multifunctional backdoor using the DropBox repository and API.
Read More -
-
DLL injection in McAfee Agent allowing a local administrator to kill the antivirus, or tamper with it, without knowing the McAfee passwordThe macompatsvc.exe...
Read More -
-
Time for the 5th part. Today it’s about the Phantom DLLs Hijacking (do not confuse it with ‘DLL Search Order Hijacking’ where order in which paths are searched for is abused). Windows is a huge ope...
Read More -
Abstract I was recently busy doing some reverse on an antivirus solution. During this review, I figured out the Windows 10 Task Schedul...
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Office DLL Sideload