Detectionmediumtest

Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Fri May 05e49b5745-1064-4ac1-9a2e-f687bc2dd37ewindows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        Image|endswith: '\gup.exe'
        ImageLoaded|endswith: '\libcurl.dll'
    filter_main_notepad_plusplus:
        Image|endswith: '\Notepad++\updater\GUP.exe'
    condition: selection and not 1 of filter_main_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

labs.withsecure.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Rule Metadata

Rule ID

e49b5745-1064-4ac1-9a2e-f687bc2dd37e

Status

test

Level

medium

Type

Detection

Created

Fri May 05

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/image_load/image_load_side_load_gup_libcurl.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001

View on GitHub