Detectionmediumtest

Potential DLL Sideloading Via JsSchHlp

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Wed Dec 1468654bf0-4412-43d5-bfe8-5eaa393cd939windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        ImageLoaded|endswith: '\JSESPR.dll'
    filter:
        ImageLoaded|startswith: 'C:\Program Files\Common Files\Justsystem\JsSchHlp\'
    condition: selection and not filter

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Rule Metadata

Rule ID

68654bf0-4412-43d5-bfe8-5eaa393cd939

Status

test

Level

medium

Type

Detection

Created

Wed Dec 14

Author

François Hubaut

Path

rules/windows/image_load/image_load_side_load_jsschhlp.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001

View on GitHub