Detectionhighexperimental
Potential JLI.dll Side-Loading
Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Jul 25Updated Mon Oct 067a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic3 selectors
detection:
selection:
ImageLoaded|endswith: '\jli.dll'
filter_main_legitimate_install_paths:
ImageLoaded|startswith:
# Keeping the paths generic as jli.dll was found inside various directories of installed software
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
Description: 'OpenJDK Platform binary'
OriginalFileName: 'jli.dll'
Product|startswith: 'OpenJDK Platform'
Signed: 'true'
filter_optional_eclipse:
ImageLoaded|startswith: 'C:\eclipse\plugins\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35
Status
experimental
Level
high
Type
Detection
Created
Fri Jul 25
Modified
Mon Oct 06
Path
rules/windows/image_load/image_load_side_load_jli.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001