DLL Sideloading by VMware Xfer Utility
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
Sigma rule (View on GitHub)
1title: DLL Sideloading by VMware Xfer Utility
2id: ebea773c-a8f1-42ad-a856-00cb221966e8
3status: test
4description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
5references:
6 - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-02
9tags:
10 - attack.defense-evasion
11 - attack.t1574.002
12logsource:
13 product: windows
14 category: process_creation
15detection:
16 selection:
17 Image|endswith: '\VMwareXferlogs.exe'
18 filter: # VMware might be installed in another path so update the rule accordingly
19 Image|startswith: 'C:\Program Files\VMware\'
20 condition: selection and not filter
21falsepositives:
22 - Unlikely
23level: high
References
-
Long-running LockBit ransomware attempts to evade Windows ETW, AMSI and EDR by leveraging legitimate VMware logging command line utility.
Read More
Related rules
- APT27 - Emissary Panda Activity
- Creation Of Non-Existent System DLL
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DHCP Server Loaded the CallOut DLL