Detectionmediumtest
Potential Antivirus Software DLL Sideloading
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)Created Wed Aug 17Updated Tue Oct 07552b6b65-df37-4d3e-a258-f2fc4771ae54windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic19 selectors
detection:
# Bitdefender
selection_bitdefender:
ImageLoaded|endswith: '\log.dll'
filter_log_dll_bitdefender:
ImageLoaded|startswith:
- 'C:\Program Files\Bitdefender Antivirus Free\'
- 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
filter_log_dll_dell_sar:
Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
ImageLoaded:
- 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
- 'C:\Program Files\Dell\SARemediation\audit\log.dll'
filter_log_dll_canon:
ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
filter_log_dll_avast:
ImageLoaded:
- 'C:\Program Files\AVAST Software\Avast\log.dll'
- 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
filter_log_dll_avg:
ImageLoaded:
- 'C:\Program Files\AVG\Antivirus\log.dll'
- 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
# F-Secure
selection_fsecure:
ImageLoaded|endswith: '\qrt.dll'
filter_fsecure:
ImageLoaded|startswith:
- 'C:\Program Files\F-Secure\Anti-Virus\'
- 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
# McAfee
selection_mcafee:
ImageLoaded|endswith:
- '\ashldres.dll'
- '\lockdown.dll'
- '\vsodscpl.dll'
filter_mcafee:
ImageLoaded|startswith:
- 'C:\Program Files\McAfee\'
- 'C:\Program Files (x86)\McAfee\'
# CyberArk
selection_cyberark:
ImageLoaded|endswith: '\vftrace.dll'
filter_cyberark:
ImageLoaded|startswith:
- 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
- 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
# Avast
selection_avast:
ImageLoaded|endswith: '\wsc.dll'
filter_wsc_dll_avast:
ImageLoaded|startswith:
- 'C:\program Files\AVAST Software\Avast\'
- 'C:\program Files (x86)\AVAST Software\Avast\'
filter_wsc_dll_avg:
ImageLoaded|startswith:
- 'C:\Program Files\AVG\Antivirus\'
- 'C:\Program Files (x86)\AVG\Antivirus\'
# ESET
selection_eset_deslock:
ImageLoaded|endswith: '\DLPPREM32.dll'
filter_eset_deslock:
ImageLoaded|startswith:
- 'C:\program Files\ESET'
- 'C:\program Files (x86)\ESET'
# Trend Micro Titanium
selection_titanium:
ImageLoaded|endswith: '\tmdbglog.dll'
filter_titanium:
ImageLoaded|startswith:
- 'C:\program Files\Trend Micro\Titanium\'
- 'C:\program Files (x86)\Trend Micro\Titanium\'
condition: (selection_bitdefender and not 1 of filter_log_dll_*)
or (selection_fsecure and not filter_fsecure)
or (selection_mcafee and not filter_mcafee)
or (selection_cyberark and not filter_cyberark)
or (selection_avast and not 1 of filter_wsc_dll_*)
or (selection_titanium and not filter_titanium)
or (selection_eset_deslock and not filter_eset_deslock)False Positives
Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
References
MITRE ATT&CK
Rule Metadata
Rule ID
552b6b65-df37-4d3e-a258-f2fc4771ae54
Status
test
Level
medium
Type
Detection
Created
Wed Aug 17
Modified
Tue Oct 07
Path
rules/windows/image_load/image_load_side_load_antivirus.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001