Detectionmediumtest
Potential RoboForm.DLL Sideloading
Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Sun May 14f64c9b2d-b0ad-481d-9d03-7fc75020892awindows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
selection:
ImageLoaded|endswith:
- '\roboform.dll'
- '\roboform-x64.dll'
filter_main_path:
Image|startswith:
- ' C:\Program Files (x86)\Siber Systems\AI RoboForm\'
- ' C:\Program Files\Siber Systems\AI RoboForm\'
Image|endswith:
- '\robotaskbaricon.exe'
- '\robotaskbaricon-x64.exe'
condition: selection and not 1 of filter_main_*False Positives
If installed on a per-user level, the path would be located in "AppData\Local". Add additional filters to reflect this mode of installation
MITRE ATT&CK
Rule Metadata
Rule ID
f64c9b2d-b0ad-481d-9d03-7fc75020892a
Status
test
Level
medium
Type
Detection
Created
Sun May 14
Path
rules/windows/image_load/image_load_side_load_robform.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.001