Potential System DLL Sideloading From Non System Locations
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)
Read MorePotential RoboForm.DLL Sideloading
Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
Read MorePotential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
Read MorePotential Libvlc.DLL Sideloading
Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
Read MoreAruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Read MoreMicrosoft Office DLL Sideload
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
Read MorePotential Antivirus Software DLL Sideloading
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Read MoreDetects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Read MorePowerup Write Hijack DLL
Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
Read MoreCreation Of Non-Existent System DLL
Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking
Read MorePotential DLL Sideloading Of Non-Existent DLLs From System Folders
Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation
Read MoreSvchost DLL Search Order Hijack
Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
Read MoreFax Service DLL Search Order Hijack
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
Read MoreDLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Read MoreThird Party Software DLL Sideloading
Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
Read MorePotential DLL Sideloading Via ClassicExplorer32.dll
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
Read MorePotential Initial Access via DLL Search Order Hijacking
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
Read MoreDetects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
Read More