Potential Waveedit.DLL Sideloading
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
Sigma rule (View on GitHub)
1title: Potential Waveedit.DLL Sideloading
2id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb
3status: test
4description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
5references:
6 - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
7author: X__Junior (Nextron Systems)
8date: 2023/06/14
9tags:
10 - attack.defense_evasion
11 - attack.privilege_escalation
12 - attack.t1574.001
13 - attack.t1574.002
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 ImageLoaded|endswith: '\waveedit.dll'
20 filter_main_legit_path:
21 Image:
22 - 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
23 - 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
24 ImageLoaded|startswith:
25 - 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\'
26 - 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Unlikely
30level: high
References
-
This blog entry discusses the more technical details on the most recent tools, techniques, and procedures (TTPs) leveraged by the Earth Preta APT group, and tackles how we were able to correlate different indicators connected to this threat actor.
Read More
Related rules
- Potential 7za.DLL Sideloading
- Potential Edputil.DLL Sideloading
- Potential RjvPlatform.DLL Sideloading From Default Location
- Potential RjvPlatform.DLL Sideloading From Non-Default Location
- Potential ShellDispatch.DLL Sideloading