Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential SmadHook.DLL Sideloading

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
X__Junior (Nextron Systems)Created Thu Jun 0124b6cf51-6122-469e-861a-22974e9c1e5bwindows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ImageLoaded|endswith:
            - '\SmadHook32c.dll'
            - '\SmadHook64c.dll'
    filter_main_legit_path:
        Image:
            - 'C:\Program Files (x86)\SMADAV\SmadavProtect32.exe'
            - 'C:\Program Files (x86)\SMADAV\SmadavProtect64.exe'
            - 'C:\Program Files\SMADAV\SmadavProtect32.exe'
            - 'C:\Program Files\SMADAV\SmadavProtect64.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\SMADAV\'
            - 'C:\Program Files\SMADAV\'
    condition: selection and not 1 of filter_main_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
research.checkpoint.com
2
Resolving title…
qurium.org
MITRE ATT&CK
Rule Metadata
Rule ID
24b6cf51-6122-469e-861a-22974e9c1e5b
Status
test
Level
high
Type
Detection
Created
Thu Jun 01
Author
X__Junior (Nextron Systems)
Path
rules/windows/image_load/image_load_side_load_smadhook.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.001
View on GitHub