Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential DLL Sideloading Via VMware Xfer

Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Aug 02Updated Fri Feb 179313dc13-d04c-46d8-af4a-a930cc55d93bwindows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Image|endswith: '\VMwareXferlogs.exe'
        ImageLoaded|endswith: '\glib-2.0.dll'
    filter: # VMware might be installed in another path so update the rule accordingly
        ImageLoaded|startswith: 'C:\Program Files\VMware\'
    condition: selection and not filter
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
sentinelone.com
MITRE ATT&CK
Rule Metadata
Rule ID
9313dc13-d04c-46d8-af4a-a930cc55d93b
Status
test
Level
high
Type
Detection
Created
Tue Aug 02
Modified
Fri Feb 17
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/image_load/image_load_side_load_vmware_xfer.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001
View on GitHub