Potential DLL Sideloading Via VMware Xfer
Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Via VMware Xfer
2id: 9313dc13-d04c-46d8-af4a-a930cc55d93b
3status: test
4description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
5references:
6 - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/02
9modified: 2023/02/17
10tags:
11 - attack.defense_evasion
12 - attack.t1574.002
13logsource:
14 product: windows
15 category: image_load
16detection:
17 selection:
18 Image|endswith: '\VMwareXferlogs.exe'
19 ImageLoaded|endswith: '\glib-2.0.dll'
20 filter: # VMware might be installed in another path so update the rule accordingly
21 ImageLoaded|startswith: 'C:\Program Files\VMware\'
22 condition: selection and not filter
23falsepositives:
24 - Unlikely
25level: high
References
-
Long-running LockBit ransomware attempts to evade Windows ETW, AMSI and EDR by leveraging legitimate VMware logging command line utility.
Read More
Related rules
- Potential DLL Sideloading Via DeviceEnroller.EXE
- Renamed Vmnat.exe Execution
- Lazarus APT DLL Sideloading Activity
- Suspicious Unsigned Thor Scanner Execution
- Diamond Sleet APT DLL Sideloading Indicators