Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation

Read More

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

Read More

Detects calls to hidden files or files located in hidden directories in NIX systems.

Read More

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)

Read More

Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking

Read More

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Read More

Detects potential DLL sideloading of "ShellDispatch.dll"

Read More

Detects potential DLL sideloading of "wwlib.dll"

Read More

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)

Read More

Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking

Read More

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Read More

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Read More

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

Read More

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

Read More

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Read More

Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.

Read More

Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.

Read More

Looks for the execution of svchost without the normal -k parameter. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Read More

Detects potential DLL sideloading of "AVKkid.dll"

Read More

Detects potential DLL sideloading of "EACore.dll"

Read More

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Read More

Detects potential DLL sideloading of "vivaldi_elf.dll"

Read More

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Read More

Detects potential DLL sideloading of "CCleanerDU.dll"

Read More

Detects potential DLL sideloading of "CCleanerReactivator.dll"

Read More

Detects potential DLL sideloading of "appverifUI.dll"

Read More

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Read More

Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.

Read More

Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.

Read More

Detects potential DLL sideloading of "edputil.dll"

Read More

Detects potential DLL sideloading of "7za.dll"

Read More

Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.

Read More

Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.

Read More

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

Read More

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

Read More

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

Read More

Detects potential DLL sideloading of "chrome_frame_helper.dll"

Read More

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

Read More

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

Read More

Detects potential DLL sideloading of "SolidPDFCreator.dll"

Read More

Detects DLL sideloading of "dbgcore.dll"

Read More

Detects DLL sideloading of "dbghelp.dll"

Read More

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

Read More

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

Read More

Detects potential DLL sideloading of rcdll.dll

Read More

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Read More

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

Read More

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

Read More

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Read More

Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.

Read More

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Read More