Home/Sigma rules
Sigma

Sigma detection rules

104 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 104
critical
HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
status test author Florian Roth (Nextron Systems) id c484e533-ee16-4a93-b6ac-f0ea4868b2f1
view Sigma YAML 
title: HackTool - SharpUp PrivEsc Tool Execution
id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
status: test
description: Detects the use of SharpUp, a tool for local privilege escalation
references:
    - https://github.com/GhostPack/SharpUp
author: Florian Roth (Nextron Systems)
date: 2022-08-20
modified: 2023-02-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.discovery
    - attack.execution
    - attack.stealth
    - attack.t1615
    - attack.t1569.002
    - attack.t1574.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SharpUp.exe'
        - Description: 'SharpUp'
        - CommandLine|contains:
              - 'HijackablePaths'
              - 'UnquotedServicePath'
              - 'ProcessDLLHijack'
              - 'ModifiableServiceBinaries'
              - 'ModifiableScheduledTask'
              - 'DomainGPPPassword'
              - 'CachedGPPPassword'
    condition: selection
falsepositives:
    - Unknown
level: critical
high
Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
status test author Nasreddine Bencherchali (Nextron Systems) id 514e4c3a-c77d-4cde-a00f-046425e2301e
view Sigma YAML 
title: Abuse of Service Permissions to Hide Services Via Set-Service
id: 514e4c3a-c77d-4cde-a00f-046425e2301e
related:
    - id: a537cfc3-4297-4789-92b5-345bfd845ad0
      type: derived
    - id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
      type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\pwsh.exe'
        - OriginalFileName: 'pwsh.dll'
    selection_sddl:
        # Example would be: "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
        CommandLine|contains|all:
            - 'Set-Service '
            - 'DCLCWPDTSD'
    selection_cmdlet:
        CommandLine|contains:
            - '-SecurityDescriptorSddl '
            - '-sd '
    condition: all of selection_*
falsepositives:
    - Rare intended use of hidden services
level: high
high
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
status test author Nasreddine Bencherchali (Nextron Systems) id 953945c5-22fe-4a92-9f8a-a9edc1e522da
view Sigma YAML 
title: Abuse of Service Permissions to Hide Services Via Set-Service - PS
id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
related:
    - id: 514e4c3a-c77d-4cde-a00f-046425e2301e
      type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Set-Service '
            - 'DCLCWPDTSD'
        ScriptBlockText|contains:
            - '-SecurityDescriptorSddl '
            - '-sd '
    condition: selection
falsepositives:
    - Rare intended use of hidden services
    - Rare FP could occur due to the non linearity of the ScriptBlockText log
level: high
high
Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
status test author Nasreddine Bencherchali (Nextron Systems) id 90ae0469-0cee-4509-b67f-e5efcef040f7
view Sigma YAML 
title: Aruba Network Service Potential DLL Sideloading
id: 90ae0469-0cee-4509-b67f-e5efcef040f7
status: test
description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
references:
    - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-03-15
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\arubanetsvc.exe'
        ImageLoaded|endswith:
            - '\wtsapi32.dll'
            - '\msvcr100.dll'
            - '\msvcp100.dll'
            - '\dbghelp.dll'
            - '\dbgcore.dll'
            - '\wininet.dll'
            - '\iphlpapi.dll'
            - '\version.dll'
            - '\cryptsp.dll'
            - '\cryptbase.dll'
            - '\wldp.dll'
            - '\profapi.dll'
            - '\sspicli.dll'
            - '\winsta.dll'
            - '\dpapi.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See `man ld.so` for more information.
status test author Christian Burkard (Nextron Systems) id 7e3c4651-c347-40c4-b1d4-d48590fdf684
view Sigma YAML 
title: Code Injection by ld.so Preload
id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
status: test
description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
references:
    - https://man7.org/linux/man-pages/man8/ld.so.8.html
author: Christian Burkard (Nextron Systems)
date: 2021-05-05
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.006
logsource:
    product: linux
detection:
    keywords:
        - '/etc/ld.so.preload'
    condition: keywords
falsepositives:
    - Rare temporary workaround for library misconfiguration
level: high
high
DHCP Callout DLL Installation
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
status test author Dimitrios Slamaris id 9d3436ef-9476-4c43-acca-90ce06bdf33a
view Sigma YAML 
title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: test
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1574.001
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\Services\DHCPServer\Parameters\CalloutDlls'
            - '\Services\DHCPServer\Parameters\CalloutEnabled'
    condition: selection
falsepositives:
    - Unknown
level: high
high
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
status test author Dimitrios Slamaris, @atc_project (fix) id 75edd3fd-7146-48e5-9848-3013d7f0282c
view Sigma YAML 
title: DHCP Server Error Failed Loading the CallOut DLL
id: 75edd3fd-7146-48e5-9848-3013d7f0282c
status: test
description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: 'Dimitrios Slamaris, @atc_project (fix)'
date: 2017-05-15
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID:
            - 1031
            - 1032
            - 1034
        Provider_Name: Microsoft-Windows-DHCP-Server
    condition: selection
falsepositives:
    - Unknown
level: high
high
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
status test author Dimitrios Slamaris id 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
view Sigma YAML 
title: DHCP Server Loaded the CallOut DLL
id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
status: test
description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 1033
        Provider_Name: Microsoft-Windows-DHCP-Server
    condition: selection
falsepositives:
    - Unknown
level: high
high
DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id b6f91281-20aa-446a-b986-38a92813a18f
view Sigma YAML 
title: DLL Search Order Hijackig Via Additional Space in Path
id: b6f91281-20aa-446a-b986-38a92813a18f
status: test
description: |
    Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
    but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
references:
    - https://twitter.com/cyb3rops/status/1552932770464292864
    - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-30
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith:
            - 'C:\Windows \'
            - 'C:\Program Files \'
            - 'C:\Program Files (x86) \'
        TargetFilename|endswith: '.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
status test author Nasreddine Bencherchali (Nextron Systems) id ee4c5d06-3abc-48cc-8885-77f1c20f4451
view Sigma YAML 
title: DLL Sideloading Of ShellChromeAPI.DLL
id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
related:
    - id: e173ad47-4388-4012-ae62-bd13f71c18a8
      type: similar
status: test
description: |
    Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
    Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
references:
    - https://mobile.twitter.com/0gtweet/status/1564131230941122561
    - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        # The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls
        ImageLoaded|endswith: '\ShellChromeAPI.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
DLL Sideloading by VMware Xfer Utility
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
status test author Nasreddine Bencherchali (Nextron Systems) id ebea773c-a8f1-42ad-a856-00cb221966e8
view Sigma YAML 
title: DLL Sideloading by VMware Xfer Utility
id: ebea773c-a8f1-42ad-a856-00cb221966e8
status: test
description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\VMwareXferlogs.exe'
    filter: # VMware might be installed in another path so update the rule accordingly
        Image|startswith: 'C:\Program Files\VMware\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
high
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
status test author Florian Roth (Nextron Systems) id cbe51394-cd93-4473-b555-edf0144952d9
view Sigma YAML 
title: DNS Server Error Failed Loading the ServerLevelPluginDLL
id: cbe51394-cd93-4473-b555-edf0144952d9
related:
    - id: e61e8a88-59a9-451c-874e-70fcc9740d67
      type: derived
    - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
      type: derived
status: test
description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
    - https://twitter.com/gentilkiwi/status/861641945944391680
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: dns-server
detection:
    selection:
        EventID:
            - 150
            - 770
            - 771
    condition: selection
falsepositives:
    - Unknown
level: high
high
Fax Service DLL Search Order Hijack
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
status test author NVISO id 828af599-4c53-4ed2-ba4a-a9f835c434ea
view Sigma YAML 
title: Fax Service DLL Search Order Hijack
id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
status: test
description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
references:
    - https://windows-internals.com/faxing-your-way-to-system/
author: NVISO
date: 2020-05-04
modified: 2022-06-02
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\fxssvc.exe'
        ImageLoaded|endswith: 'ualapi.dll'
    filter:
        ImageLoaded|startswith: 'C:\Windows\WinSxS\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
high
HackTool - Powerup Write Hijack DLL
Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
status test author Subhash Popuri (@pbssubhash) id 602a1f13-c640-4d73-b053-be9a2fa58b96
view Sigma YAML 
title: HackTool - Powerup Write Hijack DLL
id: 602a1f13-c640-4d73-b053-be9a2fa58b96
status: test
description: |
    Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
    In it's default mode, it builds a self deleting .bat file which executes malicious command.
    The detection rule relies on creation of the malicious bat file (debug.bat by default).
references:
    - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
author: Subhash Popuri (@pbssubhash)
date: 2021-08-21
modified: 2024-06-27
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|endswith: '.bat'
    condition: selection
falsepositives:
    - Any powershell script that creates bat files # highly unlikely (untested)
level: high
high
Malicious DLL File Dropped in the Teams or OneDrive Folder
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
status test author frack113 id 1908fcc1-1b92-4272-8214-0fbaf2fa5163
view Sigma YAML 
title: Malicious DLL File Dropped in the Teams or OneDrive Folder
id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
status: test
description: |
    Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
    Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
references:
    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
author: frack113
date: 2022-08-12
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - 'iphlpapi.dll'
            - '\AppData\Local\Microsoft'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Microsoft Defender Blocked from Loading Unsigned DLL
Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
status test author Bhabesh Raj id 0b0ea3cc-99c8-4730-9c53-45deee2a4c86
view Sigma YAML 
title: Microsoft Defender Blocked from Loading Unsigned DLL
id: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86
status: test
description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-02
modified: 2022-09-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: security-mitigations
detection:
    selection:
        EventID:
            - 11
            - 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
        ProcessPath|endswith:
            - '\MpCmdRun.exe'
            - '\NisSrv.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Microsoft Office DLL Sideload
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
status test author Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) id 829a3bdf-34da-4051-9cf4-8ed221a8ae4f
view Sigma YAML 
title: Microsoft Office DLL Sideload
id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f
status: test
description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-03-15
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\outllib.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Program Files\Microsoft Office\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
            - 'C:\Program Files\Microsoft Office\Root\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
high
Modification of ld.so.preload
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
status test author E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community id 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
view Sigma YAML 
title: Modification of ld.so.preload
id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
status: test
description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md
    - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.006
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'PATH'
        name: '/etc/ld.so.preload'
    condition: selection
falsepositives:
    - Unknown
level: high
high
New DNS ServerLevelPluginDll Installed
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
status test author Florian Roth (Nextron Systems) id e61e8a88-59a9-451c-874e-70fcc9740d67
view Sigma YAML 
title: New DNS ServerLevelPluginDll Installed
id: e61e8a88-59a9-451c-874e-70fcc9740d67
related:
    - id: cbe51394-cd93-4473-b555-edf0144952d9
      type: derived
    - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
      type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1574.001
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
status test author Florian Roth (Nextron Systems) id f63b56ee-3f79-4b8a-97fb-5c48007e8573
view Sigma YAML 
title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
related:
    - id: e61e8a88-59a9-451c-874e-70fcc9740d67
      type: derived
    - id: cbe51394-cd93-4473-b555-edf0144952d9
      type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1574.001
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\dnscmd.exe'
        CommandLine|contains|all:
            - '/config'
            - '/serverlevelplugindll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Possible Privilege Escalation via Weak Service Permissions
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
status test author Teymur Kheirkhabarov id d937b75f-a665-4480-88a5-2f20e9f9b22a
view Sigma YAML 
title: Possible Privilege Escalation via Weak Service Permissions
id: d937b75f-a665-4480-88a5-2f20e9f9b22a
status: test
description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://pentestlab.blog/2017/03/30/weak-service-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2024-12-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    scbynonadmin:
        Image|endswith: '\sc.exe'
        IntegrityLevel:
            - 'Medium'
            - 'S-1-16-8192'
    selection_binpath:
        CommandLine|contains|all:
            - 'config'
            - 'binPath'
    selection_failure:
        CommandLine|contains|all:
            - 'failure'
            - 'command'
    condition: scbynonadmin and 1 of selection_*
falsepositives:
    - Unknown
level: high
high
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".
status test author Swachchhanda Shrawan Poudel id d2451be2-b582-4e15-8701-4196ac180260
view Sigma YAML 
title: Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
id: d2451be2-b582-4e15-8701-4196ac180260
related:
    - id: ca5583e9-8f80-46ac-ab91-7f314d13b984
      type: similar
status: test
description: |
    Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe".
    Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".
references:
    - https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html
    - https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/
    - https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
    - https://twitter.com/Max_Mal_/status/1775222576639291859
    - https://twitter.com/DTCERT/status/1712785426895839339
author: Swachchhanda Shrawan Poudel
date: 2024-04-15
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\KeyScrambler.exe'
            - '\KeyScramblerLogon.exe'
        ImageLoaded|endswith: '\KeyScramblerIE.dll'
    filter_main_legitimate_path:
        Image|contains:
            - 'C:\Program Files (x86)\KeyScrambler\'
            - 'C:\Program Files\KeyScrambler\'
        ImageLoaded|contains:
            - 'C:\Program Files (x86)\KeyScrambler\'
            - 'C:\Program Files\KeyScrambler\'
    filter_main_signature:
        Signature: 'QFX Software Corporation'
        SignatureStatus: 'Valid'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
status test author Nasreddine Bencherchali (Nextron Systems), SBousseaden id 6b98b92b-4f00-4f62-b4fe-4d1920215771
view Sigma YAML 
title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders
id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
related:
    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule
      type: similar
    - id: 602a1f13-c640-4d73-b053-be9a2fa58b77
      type: obsolete
status: test
description: |
    Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts.
    Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
references:
    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
    - https://decoded.avast.io/martinchlumecky/png-steganography/
    - https://github.com/Wh04m1001/SysmonEoP
    - https://itm4n.github.io/cdpsvc-dll-hijacking/
    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
    - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
    - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
    - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
    - https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), SBousseaden
date: 2022-12-09
modified: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            # Add other DLLs
            - ':\Windows\System32\axeonoffhelper.dll'
            - ':\Windows\System32\cdpsgshims.dll'
            - ':\Windows\System32\oci.dll'
            - ':\Windows\System32\offdmpsvc.dll'
            - ':\Windows\System32\shellchromeapi.dll'
            - ':\Windows\System32\TSMSISrv.dll'
            - ':\Windows\System32\TSVIPSrv.dll'
            - ':\Windows\System32\wbem\wbemcomn.dll'
            - ':\Windows\System32\WLBSCTRL.dll'
            - ':\Windows\System32\wow64log.dll'
            - ':\Windows\System32\WptsExtensions.dll'
    filter_main_ms_signed:
        Signed: 'true'
        SignatureStatus: 'Valid'
        # There could be other signatures (please add when found)
        Signature: 'Microsoft Windows'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Potential DLL Sideloading Via VMware Xfer
Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
status test author Nasreddine Bencherchali (Nextron Systems) id 9313dc13-d04c-46d8-af4a-a930cc55d93b
view Sigma YAML 
title: Potential DLL Sideloading Via VMware Xfer
id: 9313dc13-d04c-46d8-af4a-a930cc55d93b
status: test
description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2023-02-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith: '\VMwareXferlogs.exe'
        ImageLoaded|endswith: '\glib-2.0.dll'
    filter: # VMware might be installed in another path so update the rule accordingly
        ImageLoaded|startswith: 'C:\Program Files\VMware\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
high
Potential DLL Sideloading Via comctl32.dll
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
status test author Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) id 6360757a-d460-456c-8b13-74cf0e60cceb
view Sigma YAML 
title: Potential DLL Sideloading Via comctl32.dll
id: 6360757a-d460-456c-8b13-74cf0e60cceb
status: test
description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
references:
    - https://github.com/binderlabs/DirCreate2System
    - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
date: 2022-12-16
modified: 2022-12-19
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\logonUI.exe.local\'
            - 'C:\Windows\System32\werFault.exe.local\'
            - 'C:\Windows\System32\consent.exe.local\'
            - 'C:\Windows\System32\narrator.exe.local\'
            - 'C:\windows\system32\wermgr.exe.local\'
        ImageLoaded|endswith: '\comctl32.dll'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Potential EACore.DLL Sideloading
Detects potential DLL sideloading of "EACore.dll"
status test author X__Junior (Nextron Systems) id edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
view Sigma YAML 
title: Potential EACore.DLL Sideloading
id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
status: test
description: Detects potential DLL sideloading of "EACore.dll"
references:
    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\EACore.dll'
    filter_main_legit_path:
        Image|contains|all:
            - 'C:\Program Files\Electronic Arts\EA Desktop\'
            - '\EACoreServer.exe'
        ImageLoaded|startswith: 'C:\Program Files\Electronic Arts\EA Desktop\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
high
Potential Edputil.DLL Sideloading
Detects potential DLL sideloading of "edputil.dll"
status test author X__Junior (Nextron Systems) id e4903324-1a10-4ed3-981b-f6fe3be3a2c2
view Sigma YAML 
title: Potential Edputil.DLL Sideloading
id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2
status: test
description: Detects potential DLL sideloading of "edputil.dll"
references:
    - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\edputil.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
high
Potential Iviewers.DLL Sideloading
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
status test author X__Junior (Nextron Systems) id 4c21b805-4dd7-469f-b47d-7383a8fcb437
view Sigma YAML 
title: Potential Iviewers.DLL Sideloading
id: 4c21b805-4dd7-469f-b47d-7383a8fcb437
status: test
description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
references:
    - https://www.secureworks.com/research/shadowpad-malware-analysis
author: X__Junior (Nextron Systems)
date: 2023-03-21
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\iviewers.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Windows Kits\'
            - 'C:\Program Files\Windows Kits\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
Potential JLI.dll Side-Loading
Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35
view Sigma YAML 
title: Potential JLI.dll Side-Loading
id: 7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35
status: experimental
description: |
    Detects potential DLL side-loading of jli.dll.
    JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
    and others in order to load malicious payloads in context of legitimate Java processes.
references:
    - https://securelist.com/apt41-in-africa/116986/
    - https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/
    - https://hijacklibs.net/entries/3rd_party/oracle/jli.html
    - https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-25
modified: 2025-10-06
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\jli.dll'
    filter_main_legitimate_install_paths:
        ImageLoaded|startswith:
            # Keeping the paths generic as jli.dll was found inside various directories of installed software
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
        Description: 'OpenJDK Platform binary'
        OriginalFileName: 'jli.dll'
        Product|startswith: 'OpenJDK Platform'
        Signed: 'true'
    filter_optional_eclipse:
        ImageLoaded|startswith: 'C:\eclipse\plugins\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
high
Potential Mpclient.DLL Sideloading
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
status test author Bhabesh Raj id 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
view Sigma YAML 
title: Potential Mpclient.DLL Sideloading
id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
related:
    - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
      type: similar
status: test
description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-02
modified: 2023-08-04
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith: '\mpclient.dll'
        Image|endswith:
            - '\MpCmdRun.exe'
            - '\NisSrv.exe'
    filter_main_known_locations:
        Image|startswith:
            - 'C:\Program Files (x86)\Windows Defender\'
            - 'C:\Program Files\Microsoft Security Client\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
high
Potential Mpclient.DLL Sideloading Via Defender Binaries
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
status test author Bhabesh Raj id 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
view Sigma YAML 
title: Potential Mpclient.DLL Sideloading Via Defender Binaries
id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
related:
    - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
      type: similar
status: test
description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-01
modified: 2023-08-04
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\MpCmdRun.exe'
            - '\NisSrv.exe'
    filter_main_known_locations:
        Image|startswith:
            - 'C:\Program Files (x86)\Windows Defender\'
            - 'C:\Program Files\Microsoft Security Client\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
high
Potential Privilege Escalation via Service Permissions Weakness
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
status test author Teymur Kheirkhabarov id 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
view Sigma YAML 
title: Potential Privilege Escalation via Service Permissions Weakness
id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
status: test
description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2024-12-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        IntegrityLevel:
            - 'Medium'
            - 'S-1-16-8192'
        CommandLine|contains|all:
            - 'ControlSet'
            - 'services'
        CommandLine|contains:
            - '\ImagePath'
            - '\FailureCommand'
            - '\ServiceDll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Potential Rcdll.DLL Sideloading
Detects potential DLL sideloading of rcdll.dll
status test author X__Junior (Nextron Systems) id 6e78b74f-c762-4800-82ad-f66787f10c8a
view Sigma YAML 
title: Potential Rcdll.DLL Sideloading
id: 6e78b74f-c762-4800-82ad-f66787f10c8a
status: test
description: Detects potential DLL sideloading of rcdll.dll
references:
    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior (Nextron Systems)
date: 2023-03-13
modified: 2023-03-15
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\rcdll.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
            - 'C:\Program Files (x86)\Windows Kits\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
Potential RjvPlatform.DLL Sideloading From Non-Default Location
Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
status test author X__Junior (Nextron Systems) id 0e0bc253-07ed-43f1-816d-e1b220fe8971
view Sigma YAML 
title: Potential RjvPlatform.DLL Sideloading From Non-Default Location
id: 0e0bc253-07ed-43f1-816d-e1b220fe8971
status: test
description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
references:
    - https://twitter.com/0gtweet/status/1666716511988330499
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\RjvPlatform.dll'
        Image: '\SystemResetPlatform.exe'
    filter_main_legit_path:
        Image|startswith: 'C:\Windows\System32\SystemResetPlatform\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
high
Potential SmadHook.DLL Sideloading
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
status test author X__Junior (Nextron Systems) id 24b6cf51-6122-469e-861a-22974e9c1e5b
view Sigma YAML 
title: Potential SmadHook.DLL Sideloading
id: 24b6cf51-6122-469e-861a-22974e9c1e5b
status: test
description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
references:
    - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
    - https://www.qurium.org/alerts/targeted-malware-against-crph/
author: X__Junior (Nextron Systems)
date: 2023-06-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\SmadHook32c.dll'
            - '\SmadHook64c.dll'
    filter_main_legit_path:
        Image:
            - 'C:\Program Files (x86)\SMADAV\SmadavProtect32.exe'
            - 'C:\Program Files (x86)\SMADAV\SmadavProtect64.exe'
            - 'C:\Program Files\SMADAV\SmadavProtect32.exe'
            - 'C:\Program Files\SMADAV\SmadavProtect64.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\SMADAV\'
            - 'C:\Program Files\SMADAV\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
high
Potential System DLL Sideloading From Non System Locations
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
status test author Nasreddine Bencherchali (Nextron Systems) id 4fc0deee-0057-4998-ab31-d24e46e0aba4
view Sigma YAML 
title: Potential System DLL Sideloading From Non System Locations
id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
status: test
description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
    - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
    - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
    - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2025-12-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\aclui.dll'
            - '\activeds.dll'
            - '\adsldpc.dll'
            - '\aepic.dll'
            - '\apphelp.dll'
            - '\applicationframe.dll'
            - '\appvpolicy.dll'
            - '\appxalluserstore.dll'
            - '\appxdeploymentclient.dll'
            - '\archiveint.dll'
            - '\atl.dll'
            - '\audioses.dll'
            - '\auditpolcore.dll'
            - '\authfwcfg.dll'
            - '\authz.dll'
            - '\avrt.dll'
            - '\batmeter.dll'
            - '\bcd.dll'
            - '\bcp47langs.dll'
            - '\bcp47mrm.dll'
            - '\bcrypt.dll'
            - '\bderepair.dll'
            - '\bootmenuux.dll'
            - '\bootux.dll'
            - '\cabinet.dll'
            - '\cabview.dll'
            - '\certcli.dll'
            - '\certenroll.dll'
            - '\cfgmgr32.dll'
            - '\cldapi.dll'
            - '\clipc.dll'
            - '\clusapi.dll'
            - '\cmpbk32.dll'
            - '\cmutil.dll'
            - '\coloradapterclient.dll'
            - '\colorui.dll'
            - '\comdlg32.dll'
            - '\configmanager2.dll'
            - '\connect.dll'
            - '\coredplus.dll'
            - '\coremessaging.dll'
            - '\coreuicomponents.dll'
            - '\credui.dll'
            - '\cryptbase.dll'
            - '\cryptdll.dll'
            - '\cryptsp.dll'
            - '\cryptui.dll'
            - '\cryptxml.dll'
            - '\cscapi.dll'
            - '\cscobj.dll'
            - '\cscui.dll'
            - '\d2d1.dll'
            - '\d3d10_1.dll'
            - '\d3d10_1core.dll'
            - '\d3d10.dll'
            - '\d3d10core.dll'
            - '\d3d10warp.dll'
            - '\d3d11.dll'
            - '\d3d12.dll'
            - '\d3d9.dll'
            - '\d3dx9_43.dll'
            - '\dataexchange.dll'
            - '\davclnt.dll'
            - '\dcntel.dll'
            - '\dcomp.dll'
            - '\defragproxy.dll'
            - '\desktopshellext.dll'
            - '\deviceassociation.dll'
            - '\devicecredential.dll'
            - '\devicepairing.dll'
            - '\devobj.dll'
            - '\devrtl.dll'
            - '\dhcpcmonitor.dll'
            - '\dhcpcsvc.dll'
            - '\dhcpcsvc6.dll'
            - '\directmanipulation.dll'
            - '\dismapi.dll'
            - '\dismcore.dll'
            - '\dmcfgutils.dll'
            - '\dmcmnutils.dll'
            - '\dmcommandlineutils.dll'
            - '\dmenrollengine.dll'
            - '\dmenterprisediagnostics.dll'
            - '\dmiso8601utils.dll'
            - '\dmoleaututils.dll'
            - '\dmprocessxmlfiltered.dll'
            - '\dmpushproxy.dll'
            - '\dmxmlhelputils.dll'
            - '\dnsapi.dll'
            - '\dot3api.dll'
            - '\dot3cfg.dll'
            - '\dpx.dll'
            - '\drprov.dll'
            - '\drvstore.dll'
            - '\dsclient.dll'
            - '\dsparse.dll'
            - '\dsprop.dll'
            - '\dsreg.dll'
            - '\dsrole.dll'
            - '\dui70.dll'
            - '\duser.dll'
            - '\dusmapi.dll'
            - '\dwmapi.dll'
            - '\dwmcore.dll'
            - '\dwrite.dll'
            - '\dxcore.dll'
            - '\dxgi.dll'
            - '\dxva2.dll'
            - '\dynamoapi.dll'
            - '\eappcfg.dll'
            - '\eappprxy.dll'
            - '\edgeiso.dll'
            - '\edputil.dll'
            - '\efsadu.dll'
            - '\efsutil.dll'
            - '\esent.dll'
            - '\execmodelproxy.dll'
            - '\explorerframe.dll'
            - '\fastprox.dll'
            - '\faultrep.dll'
            - '\fddevquery.dll'
            - '\feclient.dll'
            - '\fhcfg.dll'
            - '\fhsvcctl.dll'
            - '\firewallapi.dll'
            - '\flightsettings.dll'
            - '\fltlib.dll'
            - '\framedynos.dll'
            - '\fveapi.dll'
            - '\fveskybackup.dll'
            - '\fvewiz.dll'
            - '\fwbase.dll'
            - '\fwcfg.dll'
            - '\fwpolicyiomgr.dll'
            - '\fwpuclnt.dll'
            - '\fxsapi.dll'
            - '\fxsst.dll'
            - '\fxstiff.dll'
            - '\getuname.dll'
            - '\gpapi.dll'
            - '\hid.dll'
            - '\hnetmon.dll'
            - '\httpapi.dll'
            - '\icmp.dll'
            - '\idstore.dll'
            - '\ieadvpack.dll'
            - '\iedkcs32.dll'
            - '\iernonce.dll'
            - '\iertutil.dll'
            - '\ifmon.dll'
            - '\ifsutil.dll'
            - '\inproclogger.dll'
            - '\iphlpapi.dll'
            - '\iri.dll'
            - '\iscsidsc.dll'
            - '\iscsium.dll'
            - '\isv.exe_rsaenh.dll'
            - '\iumbase.dll'
            - '\iumsdk.dll'
            - '\joinutil.dll'
            - '\kdstub.dll'
            - '\ksuser.dll'
            - '\ktmw32.dll'
            - '\licensemanagerapi.dll'
            - '\licensingdiagspp.dll'
            - '\linkinfo.dll'
            - '\loadperf.dll'
            - '\lockhostingframework.dll'
            - '\logoncli.dll'
            - '\logoncontroller.dll'
            - '\lpksetupproxyserv.dll'
            - '\lrwizdll.dll'
            - '\magnification.dll'
            - '\maintenanceui.dll'
            - '\mapistub.dll'
            - '\mbaexmlparser.dll'
            - '\mdmdiagnostics.dll'
            - '\mfc42u.dll'
            - '\mfcore.dll'
            - '\mfplat.dll'
            - '\mi.dll'
            - '\midimap.dll'
            - '\mintdh.dll'
            - '\miutils.dll'
            - '\mlang.dll'
            - '\mmdevapi.dll'
            - '\mobilenetworking.dll'
            - '\mpr.dll'
            - '\mprapi.dll'
            - '\mrmcorer.dll'
            - '\msacm32.dll'
            - '\mscms.dll'
            - '\mscoree.dll'
            - '\msctf.dll'
            - '\msctfmonitor.dll'
            - '\msdrm.dll'
            - '\msdtctm.dll'
            - '\msftedit.dll'
            - '\msi.dll'
            - '\msiso.dll'
            - '\msutb.dll'
            - '\msvcp110_win.dll'
            - '\mswb7.dll'
            - '\mswsock.dll'
            - '\msxml3.dll'
            - '\mtxclu.dll'
            - '\napinsp.dll'
            - '\ncrypt.dll'
            - '\ndfapi.dll'
            - '\netapi32.dll'
            - '\netid.dll'
            - '\netiohlp.dll'
            - '\netjoin.dll'
            - '\netplwiz.dll'
            - '\netprofm.dll'
            - '\netprovfw.dll'
            - '\netsetupapi.dll'
            - '\netshell.dll'
            - '\nettrace.dll'
            - '\netutils.dll'
            - '\networkexplorer.dll'
            - '\newdev.dll'
            - '\ninput.dll'
            - '\nlaapi.dll'
            - '\nlansp_c.dll'
            - '\npmproxy.dll'
            - '\nshhttp.dll'
            - '\nshipsec.dll'
            - '\nshwfp.dll'
            - '\ntdsapi.dll'
            - '\ntlanman.dll'
            - '\ntlmshared.dll'
            - '\ntmarta.dll'
            - '\ntshrui.dll'
            - '\oleacc.dll'
            - '\omadmapi.dll'
            - '\onex.dll'
            - '\opcservices.dll'
            - '\osbaseln.dll'
            - '\osksupport.dll'
            - '\osuninst.dll'
            - '\p2p.dll'
            - '\p2pnetsh.dll'
            - '\p9np.dll'
            - '\pcaui.dll'
            - '\pdh.dll'
            - '\peerdistsh.dll'
            - '\pkeyhelper.dll'
            - '\pla.dll'
            - '\playsndsrv.dll'
            - '\pnrpnsp.dll'
            - '\policymanager.dll'
            - '\polstore.dll'
            - '\powrprof.dll'
            - '\printui.dll'
            - '\prntvpt.dll'
            - '\profapi.dll'
            - '\propsys.dll'
            - '\proximitycommon.dll'
            - '\proximityservicepal.dll'
            - '\prvdmofcomp.dll'
            - '\puiapi.dll'
            - '\radcui.dll'
            - '\rasapi32.dll'
            - '\rasdlg.dll'
            - '\rasgcw.dll'
            - '\rasman.dll'
            - '\rasmontr.dll'
            - '\reagent.dll'
            - '\regapi.dll'
            - '\reseteng.dll'
            - '\resetengine.dll'
            - '\resutils.dll'
            - '\rmclient.dll'
            - '\rpcnsh.dll'
            - '\rsaenh.dll'
            - '\rtutils.dll'
            - '\rtworkq.dll'
            - '\samcli.dll'
            - '\samlib.dll'
            - '\sapi_onecore.dll'
            - '\sas.dll'
            - '\scansetting.dll'
            - '\scecli.dll'
            - '\schedcli.dll'
            - '\secur32.dll'
            - '\security.dll'
            - '\sensapi.dll'
            - '\shell32.dll'
            - '\shfolder.dll'
            - '\slc.dll'
            - '\snmpapi.dll'
            - '\spectrumsyncclient.dll'
            - '\spp.dll'
            - '\sppc.dll'
            - '\sppcext.dll'
            - '\srclient.dll'
            - '\srcore.dll'
            - '\srmtrace.dll'
            - '\srpapi.dll'
            - '\srvcli.dll'
            - '\ssp_isv.exe_rsaenh.dll'
            - '\ssp.exe_rsaenh.dll'
            - '\sspicli.dll'
            - '\ssshim.dll'
            - '\staterepository.core.dll'
            - '\structuredquery.dll'
            - '\sxshared.dll'
            - '\systemsettingsthresholdadminflowui.dll'
            - '\tapi32.dll'
            - '\tbs.dll'
            - '\tdh.dll'
            - '\textshaping.dll'
            - '\timesync.dll'
            - '\tpmcoreprovisioning.dll'
            - '\tquery.dll'
            - '\tsworkspace.dll'
            - '\ttdrecord.dll'
            - '\twext.dll'
            - '\twinapi.dll'
            - '\twinui.appcore.dll'
            - '\uianimation.dll'
            - '\uiautomationcore.dll'
            - '\uireng.dll'
            - '\uiribbon.dll'
            - '\umpdc.dll'
            - '\unattend.dll'
            - '\updatepolicy.dll'
            - '\upshared.dll'
            - '\urlmon.dll'
            - '\userenv.dll'
            - '\utildll.dll'
            - '\uxinit.dll'
            - '\uxtheme.dll'
            - '\vaultcli.dll'
            - '\vdsutil.dll'
            - '\version.dll'
            - '\virtdisk.dll'
            - '\vssapi.dll'
            - '\vsstrace.dll'
            - '\wbemprox.dll'
            - '\wbemsvc.dll'
            - '\wcmapi.dll'
            - '\wcnnetsh.dll'
            - '\wdi.dll'
            - '\wdscore.dll'
            - '\webservices.dll'
            - '\wecapi.dll'
            - '\wer.dll'
            - '\wevtapi.dll'
            - '\whhelper.dll'
            - '\wimgapi.dll'
            - '\winbio.dll'
            - '\winbrand.dll'
            - '\windows.storage.dll'
            - '\windows.storage.search.dll'
            - '\windows.ui.immersive.dll'
            - '\windowscodecs.dll'
            - '\windowscodecsext.dll'
            - '\windowsudk.shellcommon.dll'
            - '\winhttp.dll'
            - '\wininet.dll'
            - '\winipsec.dll'
            - '\winmde.dll'
            - '\winmm.dll'
            - '\winnsi.dll'
            - '\winrnr.dll'
            - '\winscard.dll'
            - '\winsqlite3.dll'
            - '\winsta.dll'
            - '\winsync.dll'
            - '\wkscli.dll'
            - '\wlanapi.dll'
            - '\wlancfg.dll'
            - '\wldp.dll'
            - '\wlidprov.dll'
            - '\wmiclnt.dll'
            - '\wmidcom.dll'
            - '\wmiutils.dll'
            - '\wmpdui.dll'
            - '\wmsgapi.dll'
            - '\wofutil.dll'
            - '\wpdshext.dll'
            - '\wscapi.dll'
            - '\wsdapi.dll'
            - '\wshbth.dll'
            - '\wshelper.dll'
            - '\wsmsvc.dll'
            - '\wtsapi32.dll'
            - '\wwancfg.dll'
            - '\wwapi.dll'
            - '\xmllite.dll'
            - '\xolehlp.dll'
            - '\xpsservices.dll'
            - '\xwizards.dll'
            - '\xwtpw32.dll'
            # From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md
            - '\amsi.dll'
            - '\appraiser.dll'
            - '\COMRES.DLL'
            - '\cryptnet.dll'
            - '\DispBroker.dll'
            - '\dsound.dll'
            - '\dxilconv.dll'
            - '\FxsCompose.dll'
            - '\FXSRESM.DLL'
            - '\msdtcVSp1res.dll'
            - '\PrintIsolationProxy.dll'
            - '\rdpendp.dll'
            - '\rpchttp.dll'
            - '\storageusage.dll'
            - '\utcutil.dll'
            - '\WfsR.dll'
            # The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)
            - '\igd10iumd64.dll'
            - '\igd12umd64.dll'
            - '\igdumdim64.dll'
            - '\igdusc64.dll'
            # Other
            - '\TSMSISrv.dll'
            - '\TSVIPSrv.dll'
            - '\wbemcomn.dll'
            - '\WLBSCTRL.dll'
            - '\wow64log.dll'
            - '\WptsExtensions.dll'
    filter_main_generic:
        # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
        ImageLoaded|contains:
            - 'C:\$WINDOWS.~BT\'
            - 'C:\$WinREAgent\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemTemp\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\SyChpe32\' # “hybrid” binaries containing x86-to-ARM stubs to improve the x86 emulation performance
    filter_main_windows_temp:
        ImageLoaded|startswith: 'C:\Windows\Temp\'
        Image|startswith:
            - 'C:\Windows\WinSxS\arm64'
            - 'C:\Windows\UUS\arm64\'
        Image|endswith:
            - '\TiWorker.exe'
            - '\wuaucltcore.exe'
    filter_main_dot_net:
        ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
        ImageLoaded|endswith: '\cscui.dll'
    filter_main_defender:
        ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        ImageLoaded|endswith: '\version.dll'
    filter_main_directx:
        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
        ImageLoaded|endswith: '\d3dx9_43.dll'
    filter_optional_exchange:
        ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
        ImageLoaded|endswith: '\mswb7.dll'
    filter_optional_arsenal_image_mounter:
        ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
        ImageLoaded|endswith:
            - '\mi.dll'
            - '\miutils.dl'
    filter_optional_office_appvpolicy:
        Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
        ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
    filter_optional_azure:
        ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
    filter_optional_dell:
        Image|contains:
            - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
            - 'C:\Windows\System32\backgroundTaskHost.exe'
        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
    filter_optional_dell_wldp:
        Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
        Image|endswith: '\wldp.dll'
    filter_optional_checkpoint:
        Image|startswith:
            - 'C:\Program Files\CheckPoint\'
            - 'C:\Program Files (x86)\CheckPoint\'
        Image|endswith: '\SmartConsole.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files\CheckPoint\'
            - 'C:\Program Files (x86)\CheckPoint\'
        ImageLoaded|endswith: '\PolicyManager.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications loading their own versions of the DLLs mentioned in this rule
level: high
high
Potential Vcruntime140 DLL Sideloading
Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library. Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc. Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id d7a63acb-1284-49bc-bfea-7771146c8b1c
view Sigma YAML 
title: Potential Vcruntime140 DLL Sideloading
id: d7a63acb-1284-49bc-bfea-7771146c8b1c
status: experimental
description: |
    Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
    Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
    Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
references:
    - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
    - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
    - https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-12
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\vcruntime140.dll'
    filter_main_legitimate_path:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_main_legitimate_signer:
        Signed: true
        SignatureStatus: 'Valid'
        Description: 'Microsoft® C Runtime Library'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml
high
Potential Waveedit.DLL Sideloading
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
status test author X__Junior (Nextron Systems) id 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb
view Sigma YAML 
title: Potential Waveedit.DLL Sideloading
id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb
status: test
description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
references:
    - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
author: X__Junior (Nextron Systems)
date: 2023-06-14
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\waveedit.dll'
    filter_main_legit_path:
        Image:
            - 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
            - 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\'
            - 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
high
Potential appverifUI.DLL Sideloading
Detects potential DLL sideloading of "appverifUI.dll"
status test author X__Junior (Nextron Systems) id ee6cea48-c5b6-4304-a332-10fc6446f484
view Sigma YAML 
title: Potential appverifUI.DLL Sideloading
id: ee6cea48-c5b6-4304-a332-10fc6446f484
status: test
description: Detects potential DLL sideloading of "appverifUI.dll"
references:
    - https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\appverifUI.dll'
    filter_main_legit_path:
        Image:
            - 'C:\Windows\SysWOW64\appverif.exe'
            - 'C:\Windows\System32\appverif.exe'
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
high
Registry Modification for OCI DLL Redirection
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id c0e0bdec-3e3d-47aa-9974-05539c999c89
view Sigma YAML 
title: Registry Modification for OCI DLL Redirection
id: c0e0bdec-3e3d-47aa-9974-05539c999c89
status: experimental
description: |
    Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
    Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
references:
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1112
    - attack.t1574.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_ocilib:
        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'
    filter_main_ocilib_file:
        # it is looking when oci.dll name is changed to something else like evil.dll
        Details|contains: 'oci.dll'
    selection_ocilibpath:
        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'
    filter_main_ocilibpath:
        # it is looking when oci.dll path is changed to something else like 'C:\Windows\Temp\'
        Details|contains: '%SystemRoot%\System32\'
    condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)
falsepositives:
    - Unlikely
level: high
high
Renamed Vmnat.exe Execution
Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
status test author elhoim id 7b4f794b-590a-4ad4-ba18-7964a2832205
view Sigma YAML 
title: Renamed Vmnat.exe Execution
id: 7b4f794b-590a-4ad4-ba18-7964a2832205
status: test
description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
references:
    - https://twitter.com/malmoeb/status/1525901219247845376
author: elhoim
date: 2022-09-09
modified: 2023-02-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'vmnat.exe'
    filter_rename:
        Image|endswith: 'vmnat.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high
high
Service DACL Abuse To Hide Services Via Sc.EXE
Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
status test author Andreas Hunkeler (@Karneades) id a537cfc3-4297-4789-92b5-345bfd845ad0
view Sigma YAML 
title: Service DACL Abuse To Hide Services Via Sc.EXE
id: a537cfc3-4297-4789-92b5-345bfd845ad0
related:
    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
      type: similar
    - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
      type: similar
status: test
description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
references:
    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: Andreas Hunkeler (@Karneades)
date: 2021-12-20
modified: 2022-08-08
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'sdset'
            # Summary of permissions
            #   DC: Delete All Child Objects
            #   LC: List Contents
            #   WP: Write All Properties
            #   DT: Delete Subtree
            #   SD: Delete
            - 'DCLCWPDTSD'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Suspicious GUP Usage
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
status test author Florian Roth (Nextron Systems) id 0a4f6091-223b-41f6-8743-f322ec84930b
view Sigma YAML 
title: Suspicious GUP Usage
id: 0a4f6091-223b-41f6-8743-f322ec84930b
status: test
description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
references:
    - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
author: Florian Roth (Nextron Systems)
date: 2019-02-06
modified: 2022-08-13
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\GUP.exe'
    filter_programfiles:
        Image|endswith:
            - '\Program Files\Notepad++\updater\GUP.exe'
            - '\Program Files (x86)\Notepad++\updater\GUP.exe'
    filter_user:
        Image|contains: '\Users\'
        Image|endswith:
            - '\AppData\Local\Notepad++\updater\GUP.exe'
            - '\AppData\Roaming\Notepad++\updater\GUP.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Execution of tools named GUP.exe and located in folders different than Notepad++\updater
level: high
high
Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
status test author Florian Roth (Nextron Systems) id e0813366-0407-449a-9869-a2db1119dc41
view Sigma YAML 
title: Suspicious Printer Driver Empty Manufacturer
id: e0813366-0407-449a-9869-a2db1119dc41
status: test
description: Detects a suspicious printer driver installation with an empty Manufacturer value
references:
    - https://twitter.com/SBousseaden/status/1410545674773467140
author: Florian Roth (Nextron Systems)
date: 2020-07-01
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574
    - cve.2021-1675
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\Control\Print\Environments\Windows x64\Drivers'
            - '\Manufacturer'
        Details: '(Empty)'
    filter_cutepdf:
        TargetObject|contains: '\CutePDF Writer v4.0\'
    filter_vnc:
        TargetObject|contains:
            - '\VNC Printer (PS)\'
            - '\VNC Printer (UD)\'
    filter_pdf24:
        TargetObject|contains: '\Version-3\PDF24\'
    condition: selection and not 1 of filter_*
falsepositives:
    - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
level: high
high
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
status test author Nasreddine Bencherchali (Nextron Systems) id 22d80745-6f2c-46da-826b-77adaededd74
view Sigma YAML 
title: Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
id: 22d80745-6f2c-46da-826b-77adaededd74
related:
    - id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac
      type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_sddl_flag:
        ScriptBlockText|contains:
            - '-SecurityDescriptorSddl '
            - '-sd '
    selection_set_service:
        ScriptBlockText|contains|all:
            - 'Set-Service '
            - 'D;;'
        ScriptBlockText|contains:
            - ';;;IU'
            - ';;;SU'
            - ';;;BA'
            - ';;;SY'
            - ';;;WD'
    condition: all of selection_*
falsepositives:
    - Rare intended use of hidden services
    - Rare FP could occur due to the non linearity of the ScriptBlockText log
level: high
high
Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
status stable author Nasreddine Bencherchali (Nextron Systems) id ea5c131b-380d-49f9-aeb3-920694da4d4b
view Sigma YAML 
title: Suspicious Unsigned Thor Scanner Execution
id: ea5c131b-380d-49f9-aeb3-920694da4d4b
status: stable
description: Detects loading and execution of an unsigned thor scanner binary.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-29
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
        ImageLoaded|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    filter_main:
        Signed: 'true'
        SignatureStatus: 'valid'
        Signature: 'Nextron Systems GmbH'
    condition: selection and not filter_main
falsepositives:
    - Other legitimate binaries named "thor.exe" that aren't published by Nextron Systems
level: high
high
System Control Panel Item Loaded From Uncommon Location
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
status test author Anish Bogati id 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
view Sigma YAML 
title: System Control Panel Item Loaded From Uncommon Location
id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
status: test
description: |
    Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
references:
    - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
    - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
    - https://github.com/mhaskar/FsquirtCPLPoC
    - https://securelist.com/sidewinder-apt/114089/
author: Anish Bogati
date: 2024-01-09
modified: 2026-02-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith:
            - '\appwiz.cpl' # Usually loaded by fondue.exe
            - '\bthprops.cpl' # Usually loaded by fsquirt.exe
            - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
    filter_main_legit_location:
        ImageLoaded|startswith:
            - 'C:\Windows\Prefetch\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml
high
Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
status test author Sreeman id cc4e02ba-9c06-48e2-b09e-2500cace9ae0
view Sigma YAML 
title: Tasks Folder Evasion
id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
status: test
description: |
    The Tasks folder in system32 and syswow64 are globally writable paths.
    Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
    in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
references:
    - https://twitter.com/subTee/status/1216465628946563073
    - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
author: Sreeman
date: 2020-01-13
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: process_creation
detection:
    selection1:
        CommandLine|contains:
            - 'echo '
            - 'copy '
            - 'type '
            - 'file createnew'
    selection2:
        CommandLine|contains:
            - ' C:\Windows\System32\Tasks\'
            - ' C:\Windows\SysWow64\Tasks\'
    condition: all of selection*
falsepositives:
    - Unknown
level: high
high
Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 0cbe38c0-270c-41d9-ab79-6e5a9a669290
view Sigma YAML 
title: Trusted Path Bypass via Windows Directory Spoofing
id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
related:
    - id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
      type: similar
status: experimental
description: |
    Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
    This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
references:
    - https://x.com/Wietze/status/1933495426952421843
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.007
    - attack.t1548.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|contains:
            - ':\Windows \System32\'  # Note the space between "Windows" and "System32"
            - ':\Windows \SysWOW64\'  # Note the space between "Windows" and "SysWOW64"
    condition: selection
falsepositives:
    - Unlikely
level: high
high
UAC Bypass With Fake DLL
Attempts to load dismcore.dll after dropping it
status test author oscd.community, Dmitry Uchakin id a5ea83a7-05a5-44c1-be2e-addccbbd8c03
view Sigma YAML 
title: UAC Bypass With Fake DLL
id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
status: test
description: Attempts to load dismcore.dll after dropping it
references:
    - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
author: oscd.community, Dmitry Uchakin
date: 2020-10-06
modified: 2022-12-25
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1548.002
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\dism.exe'
        ImageLoaded|endswith: '\dismcore.dll'
    filter:
        ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll'
    condition: selection and not filter
falsepositives:
    - Actions of a legitimate telnet client
level: high
Showing 1-50 of 104
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin