Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

91 rules found for "attack.T1574.001"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Potential RoboForm.DLL Sideloading

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)+1Sun May 14windows
Detectionmediumtest

Potential ShellDispatch.DLL Sideloading

Detects potential DLL sideloading of "ShellDispatch.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Tue Jun 20windows
Detectionhightest

DLL Sideloading Of ShellChromeAPI.DLL

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Thu Dec 01windows
Detectionhightest

Potential SmadHook.DLL Sideloading

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Thu Jun 01windows
Detectionmediumtest

Potential SolidPDFCreator.DLL Sideloading

Detects potential DLL sideloading of "SolidPDFCreator.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Sun May 07windows
Detectionmediumtest

Third Party Software DLL Sideloading

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Wed Aug 17windows
Detectionhightest

Fax Service DLL Search Order Hijack

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
NVISOMon May 04windows
Detectionmediumtest

Potential Vivaldi_elf.DLL Sideloading

Detects potential DLL sideloading of "vivaldi_elf.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Thu Aug 03windows
Detectionmediumtest

VMGuestLib DLL Sideload

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Thu Dec 01windows
Detectionmediumtest

VMMap Signed Dbghelp.DLL Potential Sideloading

Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Tue Sep 05windows
Detectionhightest

VMMap Unsigned Dbghelp.DLL Potential Sideloading

Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Fri Jul 28windows
Detectionhightest

Potential DLL Sideloading Via VMware Xfer

Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Tue Aug 02windows
Detectionhightest

Potential Waveedit.DLL Sideloading

Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Wed Jun 14windows
Detectionmediumtest

Potential Wazuh Security Platform DLL Sideloading

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Mon Mar 13windows
Detectionhightest

Potential Mpclient.DLL Sideloading

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Bhabesh RajTue Aug 02windows
Detectionmediumtest

Potential WWlib.DLL Sideloading

Detects potential DLL sideloading of "wwlib.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Thu May 18windows
Detectionmediumtest

Unsigned Module Loaded by ClickOnce Application

Detects unsigned module load by ClickOnce application.

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0003 · PersistenceT1574.001 · DLL Search Order Hijacking
@serkinvaleryThu Jun 08windows
Detectionhighstable

Suspicious Unsigned Thor Scanner Execution

Detects loading and execution of an unsigned thor scanner binary.

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Sun Oct 29windows
Detectionhightest

UAC Bypass With Fake DLL

Attempts to load dismcore.dll after dropping it

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1548.002 · Bypass User Account Control+1
oscd.community+1Tue Oct 06windows
Detectionmediumtest

Potential DLL Sideloading Via DeviceEnroller.EXE

Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
@gott_cyberMon Aug 29windows
Detectionhightest

DLL Sideloading by VMware Xfer Utility

Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Tue Aug 02windows
Detectionhightest

New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+1
Florian Roth (Nextron Systems)Mon May 08windows
Detectionhightest

Suspicious GUP Usage

Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Florian Roth (Nextron Systems)Wed Feb 06windows
Detectionmediumtest

Potentially Suspicious Child Process of KeyScrambler.exe

Detects potentially suspicious child processes of KeyScrambler.exe

WindowsProcess Creation
TA0003 · PersistenceTA0002 · ExecutionTA0005 · Defense EvasionTA0004 · Privilege Escalation+2
Swachchhanda Shrawan PoudelMon May 13windows
Detectionhightest

Potential Mpclient.DLL Sideloading Via Defender Binaries

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Bhabesh RajMon Aug 01windows
Detectionhightest

Renamed Vmnat.exe Execution

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
elhoimFri Sep 09windows
Detectionhightest

Tasks Folder Evasion

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0003 · PersistenceTA0002 · Execution+1
SreemanMon Jan 13windows
Detectionhightest

Xwizard.EXE Execution From Non-Default Location

Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Christian Burkard (Nextron Systems)Mon Sep 20windows
Detectionhightest

DHCP Callout DLL Installation

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+1
Dimitrios SlamarisMon May 15windows
Detectionhightest

New DNS ServerLevelPluginDll Installed

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

WindowsRegistry Set
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+1
Florian Roth (Nextron Systems)Mon May 08windows
Detectionhighexperimental

Registry Modification for OCI DLL Redirection

Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.

WindowsRegistry Set
TA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense EvasionT1112 · Modify Registry+1
Swachchhanda Shrawan Poudel (Nextron Systems)Sat Jan 24windows
Emerging Threathightest

Potential PlugX Activity

Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceS0013 · S0013TA0005 · Defense Evasion+2
Florian Roth (Nextron Systems)Mon Jun 122017
Emerging Threatcriticaltest

APT27 - Emissary Panda Activity

Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+2
Florian Roth (Nextron Systems)Mon Sep 032018
Emerging Threatcriticaltest

Winnti Malware HK University Campaign

Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+2
Florian Roth (Nextron Systems)+1Sat Feb 012020
Emerging Threatcriticalstable

Winnti Pipemon Characteristics

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking+2
Florian Roth (Nextron Systems)+1Thu Jul 302020
Emerging Threathightest

Pingback Backdoor File Indicators

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

WindowsFile Event
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0003 · PersistenceT1574.001 · DLL Search Order Hijacking+1
Bhabesh RajWed May 052021
Emerging Threathightest

Pingback Backdoor DLL Loading Activity

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0003 · PersistenceT1574.001 · DLL Search Order Hijacking+1
Bhabesh RajWed May 052021
Emerging Threathightest

Pingback Backdoor Activity

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0003 · PersistenceT1574.001 · DLL Search Order Hijacking+1
Bhabesh RajWed May 052021
Emerging Threathightest

Small Sieve Malware CommandLine Indicator

Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.

WindowsProcess Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0003 · PersistenceT1574.001 · DLL Search Order Hijacking+1
Nasreddine Bencherchali (Nextron Systems)Fri May 192021
Emerging Threatmediumtest

DLL Names Used By SVR For GraphicalProton Backdoor

Hunts known SVR-specific DLL names.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking+1
CISAMon Dec 182023
Emerging Threathightest

Diamond Sleet APT DLL Sideloading Indicators

Detects DLL sideloading activity seen used by Diamond Sleet APT

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking+1
Nasreddine Bencherchali (Nextron Systems)Tue Oct 242023
Emerging Threathightest

Lazarus APT DLL Sideloading Activity

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0004 · Privilege EscalationTA0003 · PersistenceT1574.001 · DLL Search Order Hijacking+2
Thurein Oo+1Wed Oct 182023
Emerging Threathightest

Potential Raspberry Robin Aclui Dll SideLoading

Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking+1
Swachchhanda Shrawan PoudelWed Jul 312024
12