Third Party Software DLL Sideloading

 1title: Third Party Software DLL Sideloading
 2id: f9df325d-d7bc-4a32-8a1a-2cc61dcefc63
 3status: test
 4description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
 5references:
 6    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
 7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
 8date: 2022/08/17
 9tags:
10    - attack.defense_evasion
11    - attack.persistence
12    - attack.privilege_escalation
13    - attack.t1574.001
14    - attack.t1574.002
15logsource:
16    category: image_load
17    product: windows
18detection:
19    # Lenovo
20    selection_lenovo:
21        ImageLoaded|endswith: '\commfunc.dll'
22    filter_lenovo:
23        - ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
24        - ImageLoaded|startswith:
25              - 'C:\Program Files\Lenovo\Communications Utility\'
26              - 'C:\Program Files (x86)\Lenovo\Communications Utility\'
27    # Toshiba
28    selection_toshiba:
29        ImageLoaded|endswith: '\tosbtkbd.dll'
30    filter_toshiba:
31        ImageLoaded|startswith:
32            - 'C:\Program Files\Toshiba\Bluetooth Toshiba Stack\'
33            - 'C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\'
34    # Zoom (FP with System32)
35    # selection_zoom:
36    #     ImageLoaded|endswith: '\version.dll'
37    # filter_zoom:
38    #     ImageLoaded|startswith: 'C:\Users\'
39    #     ImageLoaded|contains: '\AppData\Roaming\Zoom\bin\'
40    condition: (selection_lenovo and not filter_lenovo) or (selection_toshiba and not filter_toshiba)
41falsepositives:
42    - Unknown
43level: medium