Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential Iviewers.DLL Sideloading

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
X__Junior (Nextron Systems)Created Tue Mar 214c21b805-4dd7-469f-b47d-7383a8fcb437windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ImageLoaded|endswith: '\iviewers.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Windows Kits\'
            - 'C:\Program Files\Windows Kits\'
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
secureworks.com
MITRE ATT&CK
Rule Metadata
Rule ID
4c21b805-4dd7-469f-b47d-7383a8fcb437
Status
test
Level
high
Type
Detection
Created
Tue Mar 21
Author
X__Junior (Nextron Systems)
Path
rules/windows/image_load/image_load_side_load_iviewers.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.001
View on GitHub