Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

Detects potential DLL sideloading of "wwlib.dll"

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

Detects potential DLL sideloading of "chrome_frame_helper.dll"

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

Detects potential DLL sideloading of "SolidPDFCreator.dll"

Detects DLL sideloading of "dbgcore.dll"

Detects DLL sideloading of "dbghelp.dll"

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

Detects potential DLL sideloading of rcdll.dll

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking

Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation

Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)

Detects calls to hidden files or files located in hidden directories in NIX systems.

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking