Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Abusable DLL Potential Sideloading From Suspicious Location

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
X__Junior (Nextron Systems)Created Tue Jul 11799a5f48-0ac1-4e0f-9152-71d137d48c2awindows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic3 selectors
detection:
    selection_dll:
        ImageLoaded|endswith:
            # Note: Add more generic DLLs that cannot be pin-pointed to a single application
            - '\coreclr.dll'
            - '\facesdk.dll'
            - '\HPCustPartUI.dll'
            - '\libcef.dll'
            - '\ZIPDLL.dll'
    selection_folders_1:
        ImageLoaded|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - '\Temporary Internet'
            - '\Windows\Temp\'
    selection_folders_2:
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: selection_dll and 1 of selection_folders_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
trendmicro.com
2
Resolving title…
research.checkpoint.com
MITRE ATT&CK
Rule Metadata
Rule ID
799a5f48-0ac1-4e0f-9152-71d137d48c2a
Status
test
Level
high
Type
Detection
Created
Tue Jul 11
Author
X__Junior (Nextron Systems)
Path
rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml
Raw Tags
attack.executionattack.t1059
View on GitHub