VMGuestLib DLL Sideload
Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.
Sigma rule (View on GitHub)
1title: VMGuestLib DLL Sideload
2id: 70e8e9b4-6a93-4cb7-8cde-da69502e7aff
3status: test
4description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.
5references:
6 - https://decoded.avast.io/martinchlumecky/png-steganography/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-12-01
9tags:
10 - attack.defense-evasion
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1574.001
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 ImageLoaded|contains|all:
20 - '\VMware\VMware Tools\vmStatsProvider\win32'
21 - '\vmGuestLib.dll'
22 Image|endswith: '\Windows\System32\wbem\WmiApSrv.exe'
23 filter:
24 Signed: 'true'
25 condition: selection and not filter
26falsepositives:
27 - FP could occur if the legitimate version of vmGuestLib already exists on the system
28level: medium
References
-
Our deep analysis of the Worok toolset (previously described by ESET Research) reveals the final stage, hidden in a PNG file, that steals data and provides a multifunctional backdoor using the DropBox repository and API.
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Office DLL Sideload