title: Aruba Network Service Potential DLL Sideloading
id: 90ae0469-0cee-4509-b67f-e5efcef040f7
status: test
description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
references:
    - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-03-15
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\arubanetsvc.exe'
        ImageLoaded|endswith:
            - '\wtsapi32.dll'
            - '\msvcr100.dll'
            - '\msvcp100.dll'
            - '\dbghelp.dll'
            - '\dbgcore.dll'
            - '\wininet.dll'
            - '\iphlpapi.dll'
            - '\version.dll'
            - '\cryptsp.dll'
            - '\cryptbase.dll'
            - '\wldp.dll'
            - '\profapi.dll'
            - '\sspicli.dll'
            - '\winsta.dll'
            - '\dpapi.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: test
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1574.001
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\Services\DHCPServer\Parameters\CalloutDlls'
            - '\Services\DHCPServer\Parameters\CalloutEnabled'
    condition: selection
falsepositives:
    - Unknown
level: high

title: DHCP Server Error Failed Loading the CallOut DLL
id: 75edd3fd-7146-48e5-9848-3013d7f0282c
status: test
description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: 'Dimitrios Slamaris, @atc_project (fix)'
date: 2017-05-15
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID:
            - 1031
            - 1032
            - 1034
        Provider_Name: Microsoft-Windows-DHCP-Server
    condition: selection
falsepositives:
    - Unknown
level: high

title: DHCP Server Loaded the CallOut DLL
id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
status: test
description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 1033
        Provider_Name: Microsoft-Windows-DHCP-Server
    condition: selection
falsepositives:
    - Unknown
level: high

title: DLL Search Order Hijackig Via Additional Space in Path
id: b6f91281-20aa-446a-b986-38a92813a18f
status: test
description: |
    Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
    but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
references:
    - https://twitter.com/cyb3rops/status/1552932770464292864
    - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-30
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith:
            - 'C:\Windows \'
            - 'C:\Program Files \'
            - 'C:\Program Files (x86) \'
        TargetFilename|endswith: '.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: DLL Sideloading Of ShellChromeAPI.DLL
id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
related:
    - id: e173ad47-4388-4012-ae62-bd13f71c18a8
      type: similar
status: test
description: |
    Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
    Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
references:
    - https://mobile.twitter.com/0gtweet/status/1564131230941122561
    - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        # The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls
        ImageLoaded|endswith: '\ShellChromeAPI.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: DLL Sideloading by VMware Xfer Utility
id: ebea773c-a8f1-42ad-a856-00cb221966e8
status: test
description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\VMwareXferlogs.exe'
    filter: # VMware might be installed in another path so update the rule accordingly
        Image|startswith: 'C:\Program Files\VMware\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high

title: DNS Server Error Failed Loading the ServerLevelPluginDLL
id: cbe51394-cd93-4473-b555-edf0144952d9
related:
    - id: e61e8a88-59a9-451c-874e-70fcc9740d67
      type: derived
    - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
      type: derived
status: test
description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
    - https://twitter.com/gentilkiwi/status/861641945944391680
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: dns-server
detection:
    selection:
        EventID:
            - 150
            - 770
            - 771
    condition: selection
falsepositives:
    - Unknown
level: high

title: Fax Service DLL Search Order Hijack
id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
status: test
description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
references:
    - https://windows-internals.com/faxing-your-way-to-system/
author: NVISO
date: 2020-05-04
modified: 2022-06-02
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\fxssvc.exe'
        ImageLoaded|endswith: 'ualapi.dll'
    filter:
        ImageLoaded|startswith: 'C:\Windows\WinSxS\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high

title: HackTool - Powerup Write Hijack DLL
id: 602a1f13-c640-4d73-b053-be9a2fa58b96
status: test
description: |
    Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
    In it's default mode, it builds a self deleting .bat file which executes malicious command.
    The detection rule relies on creation of the malicious bat file (debug.bat by default).
references:
    - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
author: Subhash Popuri (@pbssubhash)
date: 2021-08-21
modified: 2024-06-27
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|endswith: '.bat'
    condition: selection
falsepositives:
    - Any powershell script that creates bat files # highly unlikely (untested)
level: high

title: Malicious DLL File Dropped in the Teams or OneDrive Folder
id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
status: test
description: |
    Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
    Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
references:
    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
author: frack113
date: 2022-08-12
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - 'iphlpapi.dll'
            - '\AppData\Local\Microsoft'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Microsoft Defender Blocked from Loading Unsigned DLL
id: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86
status: test
description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-02
modified: 2022-09-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: security-mitigations
detection:
    selection:
        EventID:
            - 11
            - 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
        ProcessPath|endswith:
            - '\MpCmdRun.exe'
            - '\NisSrv.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Microsoft Office DLL Sideload
id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f
status: test
description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-03-15
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\outllib.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Program Files\Microsoft Office\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
            - 'C:\Program Files\Microsoft Office\Root\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high

title: New DNS ServerLevelPluginDll Installed
id: e61e8a88-59a9-451c-874e-70fcc9740d67
related:
    - id: cbe51394-cd93-4473-b555-edf0144952d9
      type: derived
    - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
      type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1574.001
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
related:
    - id: e61e8a88-59a9-451c-874e-70fcc9740d67
      type: derived
    - id: cbe51394-cd93-4473-b555-edf0144952d9
      type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1574.001
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\dnscmd.exe'
        CommandLine|contains|all:
            - '/config'
            - '/serverlevelplugindll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
id: d2451be2-b582-4e15-8701-4196ac180260
related:
    - id: ca5583e9-8f80-46ac-ab91-7f314d13b984
      type: similar
status: test
description: |
    Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe".
    Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".
references:
    - https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html
    - https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/
    - https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
    - https://twitter.com/Max_Mal_/status/1775222576639291859
    - https://twitter.com/DTCERT/status/1712785426895839339
author: Swachchhanda Shrawan Poudel
date: 2024-04-15
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\KeyScrambler.exe'
            - '\KeyScramblerLogon.exe'
        ImageLoaded|endswith: '\KeyScramblerIE.dll'
    filter_main_legitimate_path:
        Image|contains:
            - 'C:\Program Files (x86)\KeyScrambler\'
            - 'C:\Program Files\KeyScrambler\'
        ImageLoaded|contains:
            - 'C:\Program Files (x86)\KeyScrambler\'
            - 'C:\Program Files\KeyScrambler\'
    filter_main_signature:
        Signature: 'QFX Software Corporation'
        SignatureStatus: 'Valid'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders
id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
related:
    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule
      type: similar
    - id: 602a1f13-c640-4d73-b053-be9a2fa58b77
      type: obsolete
status: test
description: |
    Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts.
    Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
references:
    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
    - https://decoded.avast.io/martinchlumecky/png-steganography/
    - https://github.com/Wh04m1001/SysmonEoP
    - https://itm4n.github.io/cdpsvc-dll-hijacking/
    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
    - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
    - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
    - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
    - https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), SBousseaden
date: 2022-12-09
modified: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            # Add other DLLs
            - ':\Windows\System32\axeonoffhelper.dll'
            - ':\Windows\System32\cdpsgshims.dll'
            - ':\Windows\System32\oci.dll'
            - ':\Windows\System32\offdmpsvc.dll'
            - ':\Windows\System32\shellchromeapi.dll'
            - ':\Windows\System32\TSMSISrv.dll'
            - ':\Windows\System32\TSVIPSrv.dll'
            - ':\Windows\System32\wbem\wbemcomn.dll'
            - ':\Windows\System32\WLBSCTRL.dll'
            - ':\Windows\System32\wow64log.dll'
            - ':\Windows\System32\WptsExtensions.dll'
    filter_main_ms_signed:
        Signed: 'true'
        SignatureStatus: 'Valid'
        # There could be other signatures (please add when found)
        Signature: 'Microsoft Windows'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Potential DLL Sideloading Via VMware Xfer
id: 9313dc13-d04c-46d8-af4a-a930cc55d93b
status: test
description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2023-02-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith: '\VMwareXferlogs.exe'
        ImageLoaded|endswith: '\glib-2.0.dll'
    filter: # VMware might be installed in another path so update the rule accordingly
        ImageLoaded|startswith: 'C:\Program Files\VMware\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high

title: Potential DLL Sideloading Via comctl32.dll
id: 6360757a-d460-456c-8b13-74cf0e60cceb
status: test
description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
references:
    - https://github.com/binderlabs/DirCreate2System
    - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
date: 2022-12-16
modified: 2022-12-19
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\logonUI.exe.local\'
            - 'C:\Windows\System32\werFault.exe.local\'
            - 'C:\Windows\System32\consent.exe.local\'
            - 'C:\Windows\System32\narrator.exe.local\'
            - 'C:\windows\system32\wermgr.exe.local\'
        ImageLoaded|endswith: '\comctl32.dll'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Potential EACore.DLL Sideloading
id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
status: test
description: Detects potential DLL sideloading of "EACore.dll"
references:
    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\EACore.dll'
    filter_main_legit_path:
        Image|contains|all:
            - 'C:\Program Files\Electronic Arts\EA Desktop\'
            - '\EACoreServer.exe'
        ImageLoaded|startswith: 'C:\Program Files\Electronic Arts\EA Desktop\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: Potential Edputil.DLL Sideloading
id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2
status: test
description: Detects potential DLL sideloading of "edputil.dll"
references:
    - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\edputil.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: Potential Iviewers.DLL Sideloading
id: 4c21b805-4dd7-469f-b47d-7383a8fcb437
status: test
description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
references:
    - https://www.secureworks.com/research/shadowpad-malware-analysis
author: X__Junior (Nextron Systems)
date: 2023-03-21
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\iviewers.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Windows Kits\'
            - 'C:\Program Files\Windows Kits\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Potential JLI.dll Side-Loading
id: 7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35
status: experimental
description: |
    Detects potential DLL side-loading of jli.dll.
    JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
    and others in order to load malicious payloads in context of legitimate Java processes.
references:
    - https://securelist.com/apt41-in-africa/116986/
    - https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/
    - https://hijacklibs.net/entries/3rd_party/oracle/jli.html
    - https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-25
modified: 2025-10-06
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\jli.dll'
    filter_main_legitimate_install_paths:
        ImageLoaded|startswith:
            # Keeping the paths generic as jli.dll was found inside various directories of installed software
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
        Description: 'OpenJDK Platform binary'
        OriginalFileName: 'jli.dll'
        Product|startswith: 'OpenJDK Platform'
        Signed: 'true'
    filter_optional_eclipse:
        ImageLoaded|startswith: 'C:\eclipse\plugins\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: Potential Mpclient.DLL Sideloading
id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
related:
    - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
      type: similar
status: test
description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-02
modified: 2023-08-04
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith: '\mpclient.dll'
        Image|endswith:
            - '\MpCmdRun.exe'
            - '\NisSrv.exe'
    filter_main_known_locations:
        Image|startswith:
            - 'C:\Program Files (x86)\Windows Defender\'
            - 'C:\Program Files\Microsoft Security Client\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: Potential Mpclient.DLL Sideloading Via Defender Binaries
id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
related:
    - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
      type: similar
status: test
description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-01
modified: 2023-08-04
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\MpCmdRun.exe'
            - '\NisSrv.exe'
    filter_main_known_locations:
        Image|startswith:
            - 'C:\Program Files (x86)\Windows Defender\'
            - 'C:\Program Files\Microsoft Security Client\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: Potential Rcdll.DLL Sideloading
id: 6e78b74f-c762-4800-82ad-f66787f10c8a
status: test
description: Detects potential DLL sideloading of rcdll.dll
references:
    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior (Nextron Systems)
date: 2023-03-13
modified: 2023-03-15
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\rcdll.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
            - 'C:\Program Files (x86)\Windows Kits\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Potential RjvPlatform.DLL Sideloading From Non-Default Location
id: 0e0bc253-07ed-43f1-816d-e1b220fe8971
status: test
description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
references:
    - https://twitter.com/0gtweet/status/1666716511988330499
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\RjvPlatform.dll'
        Image: '\SystemResetPlatform.exe'
    filter_main_legit_path:
        Image|startswith: 'C:\Windows\System32\SystemResetPlatform\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: Potential SmadHook.DLL Sideloading
id: 24b6cf51-6122-469e-861a-22974e9c1e5b
status: test
description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
references:
    - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
    - https://www.qurium.org/alerts/targeted-malware-against-crph/
author: X__Junior (Nextron Systems)
date: 2023-06-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\SmadHook32c.dll'
            - '\SmadHook64c.dll'
    filter_main_legit_path:
        Image:
            - 'C:\Program Files (x86)\SMADAV\SmadavProtect32.exe'
            - 'C:\Program Files (x86)\SMADAV\SmadavProtect64.exe'
            - 'C:\Program Files\SMADAV\SmadavProtect32.exe'
            - 'C:\Program Files\SMADAV\SmadavProtect64.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\SMADAV\'
            - 'C:\Program Files\SMADAV\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: Potential System DLL Sideloading From Non System Locations
id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
status: test
description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
    - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
    - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
    - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2025-12-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\aclui.dll'
            - '\activeds.dll'
            - '\adsldpc.dll'
            - '\aepic.dll'
            - '\apphelp.dll'
            - '\applicationframe.dll'
            - '\appvpolicy.dll'
            - '\appxalluserstore.dll'
            - '\appxdeploymentclient.dll'
            - '\archiveint.dll'
            - '\atl.dll'
            - '\audioses.dll'
            - '\auditpolcore.dll'
            - '\authfwcfg.dll'
            - '\authz.dll'
            - '\avrt.dll'
            - '\batmeter.dll'
            - '\bcd.dll'
            - '\bcp47langs.dll'
            - '\bcp47mrm.dll'
            - '\bcrypt.dll'
            - '\bderepair.dll'
            - '\bootmenuux.dll'
            - '\bootux.dll'
            - '\cabinet.dll'
            - '\cabview.dll'
            - '\certcli.dll'
            - '\certenroll.dll'
            - '\cfgmgr32.dll'
            - '\cldapi.dll'
            - '\clipc.dll'
            - '\clusapi.dll'
            - '\cmpbk32.dll'
            - '\cmutil.dll'
            - '\coloradapterclient.dll'
            - '\colorui.dll'
            - '\comdlg32.dll'
            - '\configmanager2.dll'
            - '\connect.dll'
            - '\coredplus.dll'
            - '\coremessaging.dll'
            - '\coreuicomponents.dll'
            - '\credui.dll'
            - '\cryptbase.dll'
            - '\cryptdll.dll'
            - '\cryptsp.dll'
            - '\cryptui.dll'
            - '\cryptxml.dll'
            - '\cscapi.dll'
            - '\cscobj.dll'
            - '\cscui.dll'
            - '\d2d1.dll'
            - '\d3d10_1.dll'
            - '\d3d10_1core.dll'
            - '\d3d10.dll'
            - '\d3d10core.dll'
            - '\d3d10warp.dll'
            - '\d3d11.dll'
            - '\d3d12.dll'
            - '\d3d9.dll'
            - '\d3dx9_43.dll'
            - '\dataexchange.dll'
            - '\davclnt.dll'
            - '\dcntel.dll'
            - '\dcomp.dll'
            - '\defragproxy.dll'
            - '\desktopshellext.dll'
            - '\deviceassociation.dll'
            - '\devicecredential.dll'
            - '\devicepairing.dll'
            - '\devobj.dll'
            - '\devrtl.dll'
            - '\dhcpcmonitor.dll'
            - '\dhcpcsvc.dll'
            - '\dhcpcsvc6.dll'
            - '\directmanipulation.dll'
            - '\dismapi.dll'
            - '\dismcore.dll'
            - '\dmcfgutils.dll'
            - '\dmcmnutils.dll'
            - '\dmcommandlineutils.dll'
            - '\dmenrollengine.dll'
            - '\dmenterprisediagnostics.dll'
            - '\dmiso8601utils.dll'
            - '\dmoleaututils.dll'
            - '\dmprocessxmlfiltered.dll'
            - '\dmpushproxy.dll'
            - '\dmxmlhelputils.dll'
            - '\dnsapi.dll'
            - '\dot3api.dll'
            - '\dot3cfg.dll'
            - '\dpx.dll'
            - '\drprov.dll'
            - '\drvstore.dll'
            - '\dsclient.dll'
            - '\dsparse.dll'
            - '\dsprop.dll'
            - '\dsreg.dll'
            - '\dsrole.dll'
            - '\dui70.dll'
            - '\duser.dll'
            - '\dusmapi.dll'
            - '\dwmapi.dll'
            - '\dwmcore.dll'
            - '\dwrite.dll'
            - '\dxcore.dll'
            - '\dxgi.dll'
            - '\dxva2.dll'
            - '\dynamoapi.dll'
            - '\eappcfg.dll'
            - '\eappprxy.dll'
            - '\edgeiso.dll'
            - '\edputil.dll'
            - '\efsadu.dll'
            - '\efsutil.dll'
            - '\esent.dll'
            - '\execmodelproxy.dll'
            - '\explorerframe.dll'
            - '\fastprox.dll'
            - '\faultrep.dll'
            - '\fddevquery.dll'
            - '\feclient.dll'
            - '\fhcfg.dll'
            - '\fhsvcctl.dll'
            - '\firewallapi.dll'
            - '\flightsettings.dll'
            - '\fltlib.dll'
            - '\framedynos.dll'
            - '\fveapi.dll'
            - '\fveskybackup.dll'
            - '\fvewiz.dll'
            - '\fwbase.dll'
            - '\fwcfg.dll'
            - '\fwpolicyiomgr.dll'
            - '\fwpuclnt.dll'
            - '\fxsapi.dll'
            - '\fxsst.dll'
            - '\fxstiff.dll'
            - '\getuname.dll'
            - '\gpapi.dll'
            - '\hid.dll'
            - '\hnetmon.dll'
            - '\httpapi.dll'
            - '\icmp.dll'
            - '\idstore.dll'
            - '\ieadvpack.dll'
            - '\iedkcs32.dll'
            - '\iernonce.dll'
            - '\iertutil.dll'
            - '\ifmon.dll'
            - '\ifsutil.dll'
            - '\inproclogger.dll'
            - '\iphlpapi.dll'
            - '\iri.dll'
            - '\iscsidsc.dll'
            - '\iscsium.dll'
            - '\isv.exe_rsaenh.dll'
            - '\iumbase.dll'
            - '\iumsdk.dll'
            - '\joinutil.dll'
            - '\kdstub.dll'
            - '\ksuser.dll'
            - '\ktmw32.dll'
            - '\licensemanagerapi.dll'
            - '\licensingdiagspp.dll'
            - '\linkinfo.dll'
            - '\loadperf.dll'
            - '\lockhostingframework.dll'
            - '\logoncli.dll'
            - '\logoncontroller.dll'
            - '\lpksetupproxyserv.dll'
            - '\lrwizdll.dll'
            - '\magnification.dll'
            - '\maintenanceui.dll'
            - '\mapistub.dll'
            - '\mbaexmlparser.dll'
            - '\mdmdiagnostics.dll'
            - '\mfc42u.dll'
            - '\mfcore.dll'
            - '\mfplat.dll'
            - '\mi.dll'
            - '\midimap.dll'
            - '\mintdh.dll'
            - '\miutils.dll'
            - '\mlang.dll'
            - '\mmdevapi.dll'
            - '\mobilenetworking.dll'
            - '\mpr.dll'
            - '\mprapi.dll'
            - '\mrmcorer.dll'
            - '\msacm32.dll'
            - '\mscms.dll'
            - '\mscoree.dll'
            - '\msctf.dll'
            - '\msctfmonitor.dll'
            - '\msdrm.dll'
            - '\msdtctm.dll'
            - '\msftedit.dll'
            - '\msi.dll'
            - '\msiso.dll'
            - '\msutb.dll'
            - '\msvcp110_win.dll'
            - '\mswb7.dll'
            - '\mswsock.dll'
            - '\msxml3.dll'
            - '\mtxclu.dll'
            - '\napinsp.dll'
            - '\ncrypt.dll'
            - '\ndfapi.dll'
            - '\netapi32.dll'
            - '\netid.dll'
            - '\netiohlp.dll'
            - '\netjoin.dll'
            - '\netplwiz.dll'
            - '\netprofm.dll'
            - '\netprovfw.dll'
            - '\netsetupapi.dll'
            - '\netshell.dll'
            - '\nettrace.dll'
            - '\netutils.dll'
            - '\networkexplorer.dll'
            - '\newdev.dll'
            - '\ninput.dll'
            - '\nlaapi.dll'
            - '\nlansp_c.dll'
            - '\npmproxy.dll'
            - '\nshhttp.dll'
            - '\nshipsec.dll'
            - '\nshwfp.dll'
            - '\ntdsapi.dll'
            - '\ntlanman.dll'
            - '\ntlmshared.dll'
            - '\ntmarta.dll'
            - '\ntshrui.dll'
            - '\oleacc.dll'
            - '\omadmapi.dll'
            - '\onex.dll'
            - '\opcservices.dll'
            - '\osbaseln.dll'
            - '\osksupport.dll'
            - '\osuninst.dll'
            - '\p2p.dll'
            - '\p2pnetsh.dll'
            - '\p9np.dll'
            - '\pcaui.dll'
            - '\pdh.dll'
            - '\peerdistsh.dll'
            - '\pkeyhelper.dll'
            - '\pla.dll'
            - '\playsndsrv.dll'
            - '\pnrpnsp.dll'
            - '\policymanager.dll'
            - '\polstore.dll'
            - '\powrprof.dll'
            - '\printui.dll'
            - '\prntvpt.dll'
            - '\profapi.dll'
            - '\propsys.dll'
            - '\proximitycommon.dll'
            - '\proximityservicepal.dll'
            - '\prvdmofcomp.dll'
            - '\puiapi.dll'
            - '\radcui.dll'
            - '\rasapi32.dll'
            - '\rasdlg.dll'
            - '\rasgcw.dll'
            - '\rasman.dll'
            - '\rasmontr.dll'
            - '\reagent.dll'
            - '\regapi.dll'
            - '\reseteng.dll'
            - '\resetengine.dll'
            - '\resutils.dll'
            - '\rmclient.dll'
            - '\rpcnsh.dll'
            - '\rsaenh.dll'
            - '\rtutils.dll'
            - '\rtworkq.dll'
            - '\samcli.dll'
            - '\samlib.dll'
            - '\sapi_onecore.dll'
            - '\sas.dll'
            - '\scansetting.dll'
            - '\scecli.dll'
            - '\schedcli.dll'
            - '\secur32.dll'
            - '\security.dll'
            - '\sensapi.dll'
            - '\shell32.dll'
            - '\shfolder.dll'
            - '\slc.dll'
            - '\snmpapi.dll'
            - '\spectrumsyncclient.dll'
            - '\spp.dll'
            - '\sppc.dll'
            - '\sppcext.dll'
            - '\srclient.dll'
            - '\srcore.dll'
            - '\srmtrace.dll'
            - '\srpapi.dll'
            - '\srvcli.dll'
            - '\ssp_isv.exe_rsaenh.dll'
            - '\ssp.exe_rsaenh.dll'
            - '\sspicli.dll'
            - '\ssshim.dll'
            - '\staterepository.core.dll'
            - '\structuredquery.dll'
            - '\sxshared.dll'
            - '\systemsettingsthresholdadminflowui.dll'
            - '\tapi32.dll'
            - '\tbs.dll'
            - '\tdh.dll'
            - '\textshaping.dll'
            - '\timesync.dll'
            - '\tpmcoreprovisioning.dll'
            - '\tquery.dll'
            - '\tsworkspace.dll'
            - '\ttdrecord.dll'
            - '\twext.dll'
            - '\twinapi.dll'
            - '\twinui.appcore.dll'
            - '\uianimation.dll'
            - '\uiautomationcore.dll'
            - '\uireng.dll'
            - '\uiribbon.dll'
            - '\umpdc.dll'
            - '\unattend.dll'
            - '\updatepolicy.dll'
            - '\upshared.dll'
            - '\urlmon.dll'
            - '\userenv.dll'
            - '\utildll.dll'
            - '\uxinit.dll'
            - '\uxtheme.dll'
            - '\vaultcli.dll'
            - '\vdsutil.dll'
            - '\version.dll'
            - '\virtdisk.dll'
            - '\vssapi.dll'
            - '\vsstrace.dll'
            - '\wbemprox.dll'
            - '\wbemsvc.dll'
            - '\wcmapi.dll'
            - '\wcnnetsh.dll'
            - '\wdi.dll'
            - '\wdscore.dll'
            - '\webservices.dll'
            - '\wecapi.dll'
            - '\wer.dll'
            - '\wevtapi.dll'
            - '\whhelper.dll'
            - '\wimgapi.dll'
            - '\winbio.dll'
            - '\winbrand.dll'
            - '\windows.storage.dll'
            - '\windows.storage.search.dll'
            - '\windows.ui.immersive.dll'
            - '\windowscodecs.dll'
            - '\windowscodecsext.dll'
            - '\windowsudk.shellcommon.dll'
            - '\winhttp.dll'
            - '\wininet.dll'
            - '\winipsec.dll'
            - '\winmde.dll'
            - '\winmm.dll'
            - '\winnsi.dll'
            - '\winrnr.dll'
            - '\winscard.dll'
            - '\winsqlite3.dll'
            - '\winsta.dll'
            - '\winsync.dll'
            - '\wkscli.dll'
            - '\wlanapi.dll'
            - '\wlancfg.dll'
            - '\wldp.dll'
            - '\wlidprov.dll'
            - '\wmiclnt.dll'
            - '\wmidcom.dll'
            - '\wmiutils.dll'
            - '\wmpdui.dll'
            - '\wmsgapi.dll'
            - '\wofutil.dll'
            - '\wpdshext.dll'
            - '\wscapi.dll'
            - '\wsdapi.dll'
            - '\wshbth.dll'
            - '\wshelper.dll'
            - '\wsmsvc.dll'
            - '\wtsapi32.dll'
            - '\wwancfg.dll'
            - '\wwapi.dll'
            - '\xmllite.dll'
            - '\xolehlp.dll'
            - '\xpsservices.dll'
            - '\xwizards.dll'
            - '\xwtpw32.dll'
            # From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md
            - '\amsi.dll'
            - '\appraiser.dll'
            - '\COMRES.DLL'
            - '\cryptnet.dll'
            - '\DispBroker.dll'
            - '\dsound.dll'
            - '\dxilconv.dll'
            - '\FxsCompose.dll'
            - '\FXSRESM.DLL'
            - '\msdtcVSp1res.dll'
            - '\PrintIsolationProxy.dll'
            - '\rdpendp.dll'
            - '\rpchttp.dll'
            - '\storageusage.dll'
            - '\utcutil.dll'
            - '\WfsR.dll'
            # The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)
            - '\igd10iumd64.dll'
            - '\igd12umd64.dll'
            - '\igdumdim64.dll'
            - '\igdusc64.dll'
            # Other
            - '\TSMSISrv.dll'
            - '\TSVIPSrv.dll'
            - '\wbemcomn.dll'
            - '\WLBSCTRL.dll'
            - '\wow64log.dll'
            - '\WptsExtensions.dll'
    filter_main_generic:
        # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
        ImageLoaded|contains:
            - 'C:\$WINDOWS.~BT\'
            - 'C:\$WinREAgent\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemTemp\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\SyChpe32\' # “hybrid” binaries containing x86-to-ARM stubs to improve the x86 emulation performance
    filter_main_windows_temp:
        ImageLoaded|startswith: 'C:\Windows\Temp\'
        Image|startswith:
            - 'C:\Windows\WinSxS\arm64'
            - 'C:\Windows\UUS\arm64\'
        Image|endswith:
            - '\TiWorker.exe'
            - '\wuaucltcore.exe'
    filter_main_dot_net:
        ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
        ImageLoaded|endswith: '\cscui.dll'
    filter_main_defender:
        ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        ImageLoaded|endswith: '\version.dll'
    filter_main_directx:
        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
        ImageLoaded|endswith: '\d3dx9_43.dll'
    filter_optional_exchange:
        ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
        ImageLoaded|endswith: '\mswb7.dll'
    filter_optional_arsenal_image_mounter:
        ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
        ImageLoaded|endswith:
            - '\mi.dll'
            - '\miutils.dl'
    filter_optional_office_appvpolicy:
        Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
        ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
    filter_optional_azure:
        ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
    filter_optional_dell:
        Image|contains:
            - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
            - 'C:\Windows\System32\backgroundTaskHost.exe'
        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
    filter_optional_dell_wldp:
        Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
        Image|endswith: '\wldp.dll'
    filter_optional_checkpoint:
        Image|startswith:
            - 'C:\Program Files\CheckPoint\'
            - 'C:\Program Files (x86)\CheckPoint\'
        Image|endswith: '\SmartConsole.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files\CheckPoint\'
            - 'C:\Program Files (x86)\CheckPoint\'
        ImageLoaded|endswith: '\PolicyManager.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications loading their own versions of the DLLs mentioned in this rule
level: high

title: Potential Vcruntime140 DLL Sideloading
id: d7a63acb-1284-49bc-bfea-7771146c8b1c
status: experimental
description: |
    Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
    Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
    Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
references:
    - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
    - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
    - https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-12
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\vcruntime140.dll'
    filter_main_legitimate_path:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_main_legitimate_signer:
        Signed: true
        SignatureStatus: 'Valid'
        Description: 'Microsoft® C Runtime Library'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml

title: Potential Waveedit.DLL Sideloading
id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb
status: test
description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
references:
    - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
author: X__Junior (Nextron Systems)
date: 2023-06-14
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\waveedit.dll'
    filter_main_legit_path:
        Image:
            - 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
            - 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\'
            - 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: Potential appverifUI.DLL Sideloading
id: ee6cea48-c5b6-4304-a332-10fc6446f484
status: test
description: Detects potential DLL sideloading of "appverifUI.dll"
references:
    - https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\appverifUI.dll'
    filter_main_legit_path:
        Image:
            - 'C:\Windows\SysWOW64\appverif.exe'
            - 'C:\Windows\System32\appverif.exe'
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: Registry Modification for OCI DLL Redirection
id: c0e0bdec-3e3d-47aa-9974-05539c999c89
status: experimental
description: |
    Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
    Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
references:
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1112
    - attack.t1574.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_ocilib:
        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'
    filter_main_ocilib_file:
        # it is looking when oci.dll name is changed to something else like evil.dll
        Details|contains: 'oci.dll'
    selection_ocilibpath:
        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'
    filter_main_ocilibpath:
        # it is looking when oci.dll path is changed to something else like 'C:\Windows\Temp\'
        Details|contains: '%SystemRoot%\System32\'
    condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)
falsepositives:
    - Unlikely
level: high

title: Renamed Vmnat.exe Execution
id: 7b4f794b-590a-4ad4-ba18-7964a2832205
status: test
description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
references:
    - https://twitter.com/malmoeb/status/1525901219247845376
author: elhoim
date: 2022-09-09
modified: 2023-02-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'vmnat.exe'
    filter_rename:
        Image|endswith: 'vmnat.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high

title: Suspicious GUP Usage
id: 0a4f6091-223b-41f6-8743-f322ec84930b
status: test
description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
references:
    - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
author: Florian Roth (Nextron Systems)
date: 2019-02-06
modified: 2022-08-13
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\GUP.exe'
    filter_programfiles:
        Image|endswith:
            - '\Program Files\Notepad++\updater\GUP.exe'
            - '\Program Files (x86)\Notepad++\updater\GUP.exe'
    filter_user:
        Image|contains: '\Users\'
        Image|endswith:
            - '\AppData\Local\Notepad++\updater\GUP.exe'
            - '\AppData\Roaming\Notepad++\updater\GUP.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Execution of tools named GUP.exe and located in folders different than Notepad++\updater
level: high

title: Suspicious Unsigned Thor Scanner Execution
id: ea5c131b-380d-49f9-aeb3-920694da4d4b
status: stable
description: Detects loading and execution of an unsigned thor scanner binary.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-29
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
        ImageLoaded|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    filter_main:
        Signed: 'true'
        SignatureStatus: 'valid'
        Signature: 'Nextron Systems GmbH'
    condition: selection and not filter_main
falsepositives:
    - Other legitimate binaries named "thor.exe" that aren't published by Nextron Systems
level: high

title: System Control Panel Item Loaded From Uncommon Location
id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
status: test
description: |
    Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
references:
    - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
    - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
    - https://github.com/mhaskar/FsquirtCPLPoC
    - https://securelist.com/sidewinder-apt/114089/
author: Anish Bogati
date: 2024-01-09
modified: 2026-02-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith:
            - '\appwiz.cpl' # Usually loaded by fondue.exe
            - '\bthprops.cpl' # Usually loaded by fsquirt.exe
            - '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
    filter_main_legit_location:
        ImageLoaded|startswith:
            - 'C:\Windows\Prefetch\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml

title: Tasks Folder Evasion
id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
status: test
description: |
    The Tasks folder in system32 and syswow64 are globally writable paths.
    Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
    in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
references:
    - https://twitter.com/subTee/status/1216465628946563073
    - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
author: Sreeman
date: 2020-01-13
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: process_creation
detection:
    selection1:
        CommandLine|contains:
            - 'echo '
            - 'copy '
            - 'type '
            - 'file createnew'
    selection2:
        CommandLine|contains:
            - ' C:\Windows\System32\Tasks\'
            - ' C:\Windows\SysWow64\Tasks\'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: UAC Bypass With Fake DLL
id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
status: test
description: Attempts to load dismcore.dll after dropping it
references:
    - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
author: oscd.community, Dmitry Uchakin
date: 2020-10-06
modified: 2022-12-25
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1548.002
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\dism.exe'
        ImageLoaded|endswith: '\dismcore.dll'
    filter:
        ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll'
    condition: selection and not filter
falsepositives:
    - Actions of a legitimate telnet client
level: high

title: Unsigned Binary Loaded From Suspicious Location
id: 8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10
status: test
description: Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
references:
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-03
modified: 2022-09-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: security-mitigations
detection:
    selection:
        EventID:
            - 11
            - 12
        ImageName|contains:
            - '\Users\Public\'
            - '\PerfLogs\'
            - '\Desktop\'
            - '\Downloads\'
            - '\AppData\Local\Temp\'
            - 'C:\Windows\TEMP\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Unsigned Mfdetours.DLL Sideloading
id: 948a0953-f287-4806-bbcb-3b2e396df89f
related:
    - id: d2605a99-2218-4894-8fd3-2afb7946514d
      type: similar
status: test
description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-11
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\mfdetours.dll'
    filter_main_legit_path:
        ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
        SignatureStatus: 'Valid'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: VMMap Unsigned Dbghelp.DLL Potential Sideloading
id: 273a8dd8-3742-4302-bcc7-7df5a80fe425
related:
    - id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d
      type: similar
status: test
description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
references:
    - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-28
modified: 2023-09-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|contains: 'C:\Debuggers\dbghelp.dll'
        Image|endswith:
            - '\vmmap.exe'
            - '\vmmap64.exe'
    filter_main_signed:
        Signed: 'true'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Xwizard.EXE Execution From Non-Default Location
id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
status: test
description: |
    Detects the execution of Xwizard tool from a non-default directory.
    When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
    - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
author: Christian Burkard (Nextron Systems)
date: 2021-09-20
modified: 2024-08-15
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\xwizard.exe'
        - OriginalFileName: 'xwizard.exe'
    filter_main_legit_location:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Windows installed on non-C drive
level: high

title: Creation Of Non-Existent System DLL
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
      type: similar
status: test
description: |
    Detects creation of specific system DLL files that are  usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
    Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
    Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
references:
    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
    - https://decoded.avast.io/martinchlumecky/png-steganography/
    - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
    - https://github.com/Wh04m1001/SysmonEoP
    - https://itm4n.github.io/cdpsvc-dll-hijacking/
    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
    - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
    - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
    - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
    - https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), fornotes
date: 2022-12-01
modified: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - ':\Windows\System32\axeonoffhelper.dll'
            - ':\Windows\System32\cdpsgshims.dll'
            - ':\Windows\System32\oci.dll'
            - ':\Windows\System32\offdmpsvc.dll'
            - ':\Windows\System32\shellchromeapi.dll'
            - ':\Windows\System32\TSMSISrv.dll'
            - ':\Windows\System32\TSVIPSrv.dll'
            - ':\Windows\System32\wbem\wbemcomn.dll'
            - ':\Windows\System32\WLBSCTRL.dll'
            - ':\Windows\System32\wow64log.dll'
            - ':\Windows\System32\WptsExtensions.dll'
            - '\SprintCSP.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml

title: Creation of WerFault.exe/Wer.dll in Unusual Folder
id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
status: test
description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
references:
    - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
author: frack113
date: 2022-05-09
modified: 2025-12-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '\WerFault.exe'
            - '\wer.dll'
    filter_main_known_locations:
        TargetFilename|startswith:
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\UUS\arm64\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential AVKkid.DLL Sideloading
id: 952ed57c-8f99-453d-aee0-53a49c22f95d
status: test
description: Detects potential DLL sideloading of "AVKkid.dll"
references:
    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\AVKkid.dll'
    filter_main_legit_path:
        Image|contains:
            - 'C:\Program Files (x86)\G DATA\'
            - 'C:\Program Files\G DATA\'
        Image|endswith: '\AVKKid.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\G DATA\'
            - 'C:\Program Files\G DATA\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential Antivirus Software DLL Sideloading
id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
status: test
description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    # Bitdefender
    selection_bitdefender:
        ImageLoaded|endswith: '\log.dll'
    filter_log_dll_bitdefender:
        ImageLoaded|startswith:
            - 'C:\Program Files\Bitdefender Antivirus Free\'
            - 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
    filter_log_dll_dell_sar:
        Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
        ImageLoaded:
            - 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
            - 'C:\Program Files\Dell\SARemediation\audit\log.dll'
    filter_log_dll_canon:
        ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
    filter_log_dll_avast:
        ImageLoaded:
            - 'C:\Program Files\AVAST Software\Avast\log.dll'
            - 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
    filter_log_dll_avg:
        ImageLoaded:
            - 'C:\Program Files\AVG\Antivirus\log.dll'
            - 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
    # F-Secure
    selection_fsecure:
        ImageLoaded|endswith: '\qrt.dll'
    filter_fsecure:
        ImageLoaded|startswith:
            - 'C:\Program Files\F-Secure\Anti-Virus\'
            - 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
    # McAfee
    selection_mcafee:
        ImageLoaded|endswith:
            - '\ashldres.dll'
            - '\lockdown.dll'
            - '\vsodscpl.dll'
    filter_mcafee:
        ImageLoaded|startswith:
            - 'C:\Program Files\McAfee\'
            - 'C:\Program Files (x86)\McAfee\'
    # CyberArk
    selection_cyberark:
        ImageLoaded|endswith: '\vftrace.dll'
    filter_cyberark:
        ImageLoaded|startswith:
            - 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
            - 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
    # Avast
    selection_avast:
        ImageLoaded|endswith: '\wsc.dll'
    filter_wsc_dll_avast:
        ImageLoaded|startswith:
            - 'C:\program Files\AVAST Software\Avast\'
            - 'C:\program Files (x86)\AVAST Software\Avast\'
    filter_wsc_dll_avg:
        ImageLoaded|startswith:
            - 'C:\Program Files\AVG\Antivirus\'
            - 'C:\Program Files (x86)\AVG\Antivirus\'
    # ESET
    selection_eset_deslock:
        ImageLoaded|endswith: '\DLPPREM32.dll'
    filter_eset_deslock:
        ImageLoaded|startswith:
            - 'C:\program Files\ESET'
            - 'C:\program Files (x86)\ESET'
    # Trend Micro Titanium
    selection_titanium:
        ImageLoaded|endswith: '\tmdbglog.dll'
    filter_titanium:
        ImageLoaded|startswith:
            - 'C:\program Files\Trend Micro\Titanium\'
            - 'C:\program Files (x86)\Trend Micro\Titanium\'
    condition: (selection_bitdefender and not 1 of filter_log_dll_*)
               or (selection_fsecure and not filter_fsecure)
               or (selection_mcafee and not filter_mcafee)
               or (selection_cyberark and not filter_cyberark)
               or (selection_avast and not 1 of filter_wsc_dll_*)
               or (selection_titanium and not filter_titanium)
               or (selection_eset_deslock and not filter_eset_deslock)
falsepositives:
    - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
    - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
    - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
level: medium

title: Potential CCleanerDU.DLL Sideloading
id: 1fbc0671-5596-4e17-8682-f020a0b995dc
status: test
description: Detects potential DLL sideloading of "CCleanerDU.dll"
references:
    - https://lab52.io/blog/2344-2/
author: X__Junior (Nextron Systems)
date: 2023-07-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\CCleanerDU.dll'
    filter_main_path:
        Image|startswith:
            - 'C:\Program Files\CCleaner\'
            - 'C:\Program Files (x86)\CCleaner\'
        Image|endswith:
            - '\CCleaner.exe'
            - '\CCleaner64.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium

title: Potential CCleanerReactivator.DLL Sideloading
id: 3735d5ac-d770-4da0-99ff-156b180bc600
status: test
description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
references:
    - https://lab52.io/blog/2344-2/
author: X__Junior
date: 2023-07-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\CCleanerReactivator.dll'
    filter_main_path:
        Image|startswith:
            - 'C:\Program Files\CCleaner\'
            - 'C:\Program Files (x86)\CCleaner\'
        Image|endswith: '\CCleanerReactivator.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium

title: Potential Chrome Frame Helper DLL Sideloading
id: 72ca7c75-bf85-45cd-aca7-255d360e423c
status: test
description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
references:
    - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-05-15
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\chrome_frame_helper.dll'
    filter_main_path:
        ImageLoaded|startswith:
            - 'C:\Program Files\Google\Chrome\Application\'
            - 'C:\Program Files (x86)\Google\Chrome\Application\'
    filter_optional_user_path:
        ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium