Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential DLL Sideloading Via comctl32.dll

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems), Subhash PopuriCreated Fri Dec 16Updated Mon Dec 196360757a-d460-456c-8b13-74cf0e60ccebwindows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic1 selector
detection:
    selection:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\logonUI.exe.local\'
            - 'C:\Windows\System32\werFault.exe.local\'
            - 'C:\Windows\System32\consent.exe.local\'
            - 'C:\Windows\System32\narrator.exe.local\'
            - 'C:\windows\system32\wermgr.exe.local\'
        ImageLoaded|endswith: '\comctl32.dll'
    condition: selection
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
github.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
6360757a-d460-456c-8b13-74cf0e60cceb
Status
test
Level
high
Type
Detection
Created
Fri Dec 16
Modified
Mon Dec 19
Author
Nasreddine Bencherchali (Nextron Systems), Subhash Popuri
Path
rules/windows/image_load/image_load_side_load_comctl32.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001
View on GitHub