Potential ShellDispatch.DLL Sideloading
Detects potential DLL sideloading of "ShellDispatch.dll"
Sigma rule (View on GitHub)
1title: Potential ShellDispatch.DLL Sideloading
2id: 844f8eb2-610b-42c8-89a4-47596e089663
3status: experimental
4description: Detects potential DLL sideloading of "ShellDispatch.dll"
5references:
6 - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
7author: X__Junior (Nextron Systems)
8date: 2023/06/20
9tags:
10 - attack.defense_evasion
11 - attack.privilege_escalation
12 - attack.t1574.001
13 - attack.t1574.002
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 ImageLoaded|endswith: '\ShellDispatch.dll'
20 filter_main_legit_path:
21 - ImageLoaded|contains|all:
22 - ':\Users\'
23 - '\AppData\Local\Temp\'
24 - ImageLoaded|contains: ':\Windows\Temp\'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Some installers may trigger some false positives
28level: medium
References
-
I have written about Nullsoft installer a few times before. I am a bit fascinated by it, because there is not that much research about it, in general, and even less – about its esoteric, yet omnipr...
Read More
Related rules
- Third Party Software DLL Sideloading
- DLL Sideloading Of ShellChromeAPI.DLL
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Potential DLL Sideloading Via JsSchHlp
- Potential DLL Sideloading Via comctl32.dll