Potential RjvPlatform.DLL Sideloading From Default Location
Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
Sigma rule (View on GitHub)
1title: Potential RjvPlatform.DLL Sideloading From Default Location
2id: 259dda31-b7a3-444f-b7d8-17f96e8a7d0d
3status: test
4description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
5references:
6 - https://twitter.com/0gtweet/status/1666716511988330499
7author: X__Junior (Nextron Systems)
8date: 2023-06-09
9tags:
10 - attack.defense-evasion
11 - attack.privilege-escalation
12 - attack.t1574.001
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 Image: 'C:\Windows\System32\SystemResetPlatform\SystemResetPlatform.exe'
19 ImageLoaded: 'C:\$SysReset\Framework\Stack\RjvPlatform.dll'
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Lazarus APT DLL Sideloading Activity
- Malicious DLL File Dropped in the Teams or OneDrive Folder