Convert indexed Sigma rules into analyst-ready detections.

title: Potential Vcruntime140 DLL Sideloading
id: d7a63acb-1284-49bc-bfea-7771146c8b1c
status: experimental
description: |
    Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
    Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
    Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
references:
    - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
    - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
    - https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-12
tags:
    - attack.defense-evasion
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\vcruntime140.dll'
    filter_main_legitimate_path:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_main_legitimate_signer:
        Signed: true
        SignatureStatus: 'Valid'
        Description: 'Microsoft® C Runtime Library'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml