Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Libvlc.DLL Sideloading

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
X__JuniorCreated Mon Apr 17bf9808c4-d24f-44a2-8398-b65227d406b6windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ImageLoaded|endswith: '\libvlc.dll'
    filter_main_vlc:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\VideoLAN\VLC\'
            - 'C:\Program Files\VideoLAN\VLC\'
    condition: selection and not 1 of filter_main_*
False Positives

False positives are expected if VLC is installed in non-default locations

References
1
Resolving title…
trendmicro.com
2
Resolving title…
hijacklibs.net
MITRE ATT&CK
Rule Metadata
Rule ID
bf9808c4-d24f-44a2-8398-b65227d406b6
Status
test
Level
medium
Type
Detection
Created
Mon Apr 17
Author
X__Junior
Path
rules/windows/image_load/image_load_side_load_libvlc.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001
View on GitHub