Detectionhightest

Potential DLL Sideloading Of Non-Existent DLLs From System Folders

Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems), SBousseadenCreated Fri Dec 09Updated Sat Jan 246b98b92b-4f00-4f62-b4fe-4d1920215771windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        ImageLoaded|endswith:
            # Add other DLLs
            - ':\Windows\System32\axeonoffhelper.dll'
            - ':\Windows\System32\cdpsgshims.dll'
            - ':\Windows\System32\oci.dll'
            - ':\Windows\System32\offdmpsvc.dll'
            - ':\Windows\System32\shellchromeapi.dll'
            - ':\Windows\System32\TSMSISrv.dll'
            - ':\Windows\System32\TSVIPSrv.dll'
            - ':\Windows\System32\wbem\wbemcomn.dll'
            - ':\Windows\System32\WLBSCTRL.dll'
            - ':\Windows\System32\wow64log.dll'
            - ':\Windows\System32\WptsExtensions.dll'
    filter_main_ms_signed:
        Signed: 'true'
        SignatureStatus: 'Valid'
        # There could be other signatures (please add when found)
        Signature: 'Microsoft Windows'
    condition: selection and not 1 of filter_main_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

remoteawesomethoughts.blogspot.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Related Rules

SimilarDetectionmedium

Creation Of Non-Existent System DLL

Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.

Detects similar activity. Both rules may fire on overlapping events.

Similar

602a1f13-c640-4d73-b053-be9a2fa58b77

Rule not found

Rule Metadata

Rule ID

6b98b92b-4f00-4f62-b4fe-4d1920215771

Status

test

Level

high

Type

Detection

Created

Fri Dec 09

Modified

Sat Jan 24

Author

Nasreddine Bencherchali (Nextron Systems), SBousseaden

Path

rules/windows/image_load/image_load_side_load_non_existent_dlls.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001

View on GitHub