VMGuestLib DLL Sideload

Oct 17, 2023 · attack.defense_evasion attack.persistence attack.privilege_escalation attack.t1574.001 attack.t1574.002 ·

Share on:

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

Sigma rule (View on GitHub)

 1title: VMGuestLib DLL Sideload
 2id: 70e8e9b4-6a93-4cb7-8cde-da69502e7aff
 3status: test
 4description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.
 5references:
 6    - https://decoded.avast.io/martinchlumecky/png-steganography/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/12/01
 9tags:
10    - attack.defense_evasion
11    - attack.persistence
12    - attack.privilege_escalation
13    - attack.t1574.001
14    - attack.t1574.002
15logsource:
16    category: image_load
17    product: windows
18detection:
19    selection:
20        ImageLoaded|contains|all:
21            - '\VMware\VMware Tools\vmStatsProvider\win32'
22            - '\vmGuestLib.dll'
23        Image|endswith: '\Windows\System32\wbem\WmiApSrv.exe'
24    filter:
25        Signed: 'true'
26    condition: selection and not filter
27falsepositives:
28    - FP could occur if the legitimate version of vmGuestLib already exists on the system
29level: medium

References

PNG Steganography Hides Backdoor - Avast Threat Labs

Our deep analysis of the Worok toolset (previously described by ESET Research) reveals the final stage, hidden in a PNG file, that steals data and provides a multifunctional backdoor using the DropBox repository and API.

Read More

VMGuestLib DLL Sideload

Sigma rule (View on GitHub)

References

PNG Steganography Hides Backdoor - Avast Threat Labs

Related rules