Potential Waveedit.DLL Sideloading
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
Sigma rule (View on GitHub)
1title: Potential Waveedit.DLL Sideloading
2id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb
3status: test
4description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
5references:
6 - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
7author: X__Junior (Nextron Systems)
8date: 2023-06-14
9tags:
10 - attack.defense-evasion
11 - attack.privilege-escalation
12 - attack.t1574.001
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 ImageLoaded|endswith: '\waveedit.dll'
19 filter_main_legit_path:
20 Image:
21 - 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
22 - 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
23 ImageLoaded|startswith:
24 - 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\'
25 - 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\'
26 condition: selection and not 1 of filter_main_*
27falsepositives:
28 - Unlikely
29level: high
References
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Lazarus APT DLL Sideloading Activity
- Malicious DLL File Dropped in the Teams or OneDrive Folder