Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27

Read More

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Read More

Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.

Read More

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

Read More

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Read More

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

Read More

Detects DLL sideloading activity seen used by Diamond Sleet APT

Read More

Hunts known SVR-specific DLL names.

Read More

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

Read More

Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL

Read More

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More

Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

Read More

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Read More

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

Read More

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded

Read More

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Read More

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

Read More

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More

Detects potential DLL sideloading of "7za.dll"

Read More

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

Read More

Detects potential DLL sideloading of "appverifUI.dll"

Read More

Detects potential DLL sideloading of "AVKkid.dll"

Read More

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Read More

Detects potential DLL sideloading of "CCleanerDU.dll"

Read More

Detects potential DLL sideloading of "CCleanerReactivator.dll"

Read More

Detects potential DLL sideloading of "chrome_frame_helper.dll"

Read More

Detects DLL sideloading of "dbgcore.dll"

Read More

Detects potential DLL sideloading of "dbghelp.dll"

Read More

Detects potential DLL sideloading of "DbgModel.dll"

Read More

Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".

Read More

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

Read More

Detects potential DLL sideloading of "MpSvc.dll".

Read More

Detects potential DLL sideloading of "mscorsvc.dll".

Read More

Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.

Read More

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Read More

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Read More

Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

Read More

Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL

Read More

Detects potential DLL sideloading of "EACore.dll"

Read More

Detects potential DLL sideloading of "edputil.dll"

Read More

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

Read More

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

Read More

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

Read More

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Read More

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

Read More

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

Read More

Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location

Read More

Detects potential DLL sideloading of Python DLL files.

Read More

Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.

Read More

Detects potential DLL sideloading of rcdll.dll

Read More

Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.

Read More

Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.

Read More

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

Read More

Detects potential DLL sideloading of "ShellDispatch.dll"

Read More

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

Read More

Detects potential DLL sideloading of "SolidPDFCreator.dll"

Read More

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

Read More

Detects potential DLL sideloading of "vivaldi_elf.dll"

Read More

Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.

Read More

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

Read More

Detects potential DLL sideloading of "wwlib.dll"

Read More

Detects potentially suspicious child processes of KeyScrambler.exe

Read More

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

Read More

Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks

Read More

Detects loading and execution of an unsigned thor scanner binary.

Read More

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

Read More

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)

Read More

Attempts to load dismcore.dll after dropping it

Read More

Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations

Read More

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Read More

Detects unsigned module load by ClickOnce application.

Read More

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

Read More

Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.

Read More

Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.

Read More

Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities

Read More

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

Read More

Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".

Read More

Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.

Read More

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Read More

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Read More

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Read More

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Read More

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Read More

Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.

Read More

Detects calls to hidden files or files located in hidden directories in NIX systems.

Read More

Looks for the execution of svchost without the normal -k parameter. Inspired by the 2022 Red Canary Threat Detection report.

Read More