Detectionmediumtest
Potential DLL Sideloading Of DbgModel.DLL
Detects potential DLL sideloading of "DbgModel.dll"
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic4 selectors
detection:
selection:
ImageLoaded|endswith: '\dbgmodel.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
filter_optional_windbg:
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.WinDbg_'
filter_optional_windows_kits:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Windows Kits\'
- 'C:\Program Files\Windows Kits\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Legitimate applications loading their own versions of the DLL mentioned in this rule
References
MITRE ATT&CK
Rule Metadata
Rule ID
fef394cd-f44d-4040-9b18-95d92fe278c0
Status
test
Level
medium
Type
Detection
Created
Thu Jul 11
Modified
Mon Jul 22
Author
Path
rules/windows/image_load/image_load_side_load_dbgmodel.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001