Third Party Software DLL Sideloading

 1title: Third Party Software DLL Sideloading
 2id: f9df325d-d7bc-4a32-8a1a-2cc61dcefc63
 3status: test
 4description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
 5references:
 6    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
 7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
 8date: 2022-08-17
 9tags:
10    - attack.defense-evasion
11    - attack.persistence
12    - attack.privilege-escalation
13    - attack.t1574.001
14logsource:
15    category: image_load
16    product: windows
17detection:
18    # Lenovo
19    selection_lenovo:
20        ImageLoaded|endswith: '\commfunc.dll'
21    filter_lenovo:
22        - ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
23        - ImageLoaded|startswith:
24              - 'C:\Program Files\Lenovo\Communications Utility\'
25              - 'C:\Program Files (x86)\Lenovo\Communications Utility\'
26    # Toshiba
27    selection_toshiba:
28        ImageLoaded|endswith: '\tosbtkbd.dll'
29    filter_toshiba:
30        ImageLoaded|startswith:
31            - 'C:\Program Files\Toshiba\Bluetooth Toshiba Stack\'
32            - 'C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\'
33    # Zoom (FP with System32)
34    # selection_zoom:
35    #     ImageLoaded|endswith: '\version.dll'
36    # filter_zoom:
37    #     ImageLoaded|startswith: 'C:\Users\'
38    #     ImageLoaded|contains: '\AppData\Roaming\Zoom\bin\'
39    condition: (selection_lenovo and not filter_lenovo) or (selection_toshiba and not filter_toshiba)
40falsepositives:
41    - Unknown
42level: medium