Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Unsigned DLL Loaded by Windows Utility

Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan PoudelCreated Wed Feb 28Updated Tue Oct 07b5de0c9a-6f19-43e0-af4e-55ad01f550afwindows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic10 selectors
detection:
    selection:
        Image|endswith:
            # Note: Add additional utilities that allow the loading of DLLs
            - '\InstallUtil.exe'
            - '\RegAsm.exe'
            - '\RegSvcs.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
    filter_main_signed:
        Signed: 'true'
    filter_main_sig_status:
        SignatureStatus:
            - 'errorChaining'
            - 'errorCode_endpoint'
            - 'errorExpired'
            - 'trusted'
            - 'Valid'
    filter_main_signed_null:
        Signed: null
    filter_main_signed_empty:
        Signed:
            - ''
            - '-'
    filter_main_sig_status_null:
        SignatureStatus: null
    filter_main_sig_status_empty:
        SignatureStatus:
            - ''
            - '-'
    filter_main_windows_installer:
        Image:
            - 'C:\Windows\SysWOW64\rundll32.exe'
            - 'C:\Windows\System32\rundll32.exe'
        ImageLoaded|startswith: 'C:\Windows\Installer\'
        ImageLoaded|endswith:
            - '.tmp-\Microsoft.Deployment.WindowsInstaller.dll'
            - '.tmp-\Avira.OE.Setup.CustomActions.dll'
    filter_main_assembly:
        Image|startswith:
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\Microsoft.NET\Framework64'
        Image|endswith: '\RegAsm.exe'
        ImageLoaded|endswith: '.dll'
        ImageLoaded|startswith: 'C:\Windows\assembly\NativeImages'
    filter_optional_klite_codec:
        Image:
            - 'C:\Windows\SysWOW64\regsvr32.exe'
            - 'C:\Windows\System32\regsvr32.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\K-Lite Codec Pack\'
            - 'C:\Program Files\K-Lite Codec Pack\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
elastic.co
2
Resolving title…
akhere.hashnode.dev
3
Resolving title…
unit42.paloaltonetworks.com
MITRE ATT&CK
Rule Metadata
Rule ID
b5de0c9a-6f19-43e0-af4e-55ad01f550af
Status
test
Level
medium
Type
Detection
Created
Wed Feb 28
Modified
Tue Oct 07
Author
Swachchhanda Shrawan Poudel
Path
rules/windows/image_load/image_load_susp_unsigned_dll.yml
Raw Tags
attack.t1218.011attack.t1218.010attack.defense-evasion
View on GitHub