Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Vivaldi_elf.DLL Sideloading

Detects potential DLL sideloading of "vivaldi_elf.dll"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
X__Junior (Nextron Systems)Created Thu Aug 032092cacb-d77b-4f98-ab0d-32b32f99a054windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ImageLoaded|endswith: '\vivaldi_elf.dll'
    filter_main_legit_path:
        Image|endswith: '\Vivaldi\Application\vivaldi.exe'
        ImageLoaded|contains: '\Vivaldi\Application\'
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
research.checkpoint.com
MITRE ATT&CK
Rule Metadata
Rule ID
2092cacb-d77b-4f98-ab0d-32b32f99a054
Status
test
Level
medium
Type
Detection
Created
Thu Aug 03
Author
X__Junior (Nextron Systems)
Path
rules/windows/image_load/image_load_side_load_vivaldi_elf.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.001
View on GitHub