Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

91 rules found for "attack.T1574.001"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionlowtest

Use Of Hidden Paths Or Files

Detects calls to hidden files or files located in hidden directories in NIX systems.

Linuxauditd
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
David BurkettFri Dec 30linux
Detectionhightest

DNS Server Error Failed Loading the ServerLevelPluginDLL

Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

Windowsdns-server
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Florian Roth (Nextron Systems)Mon May 08windows
Detectionhightest

Microsoft Defender Blocked from Loading Unsigned DLL

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Windowssecurity-mitigations
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Bhabesh RajTue Aug 02windows
Detectionhightest

Unsigned Binary Loaded From Suspicious Location

Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations

Windowssecurity-mitigations
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Wed Aug 03windows
Detectionhightest

DHCP Server Loaded the CallOut DLL

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

Windowssystem
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Dimitrios SlamarisMon May 15windows
Detectionhightest

DHCP Server Error Failed Loading the CallOut DLL

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Windowssystem
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Dimitrios SlamarisMon May 15windows
Detectionmediumtest

Creation Of Non-Existent System DLL

Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.

WindowsFile Event
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Thu Dec 01windows
Detectionhightest

DLL Search Order Hijackig Via Additional Space in Path

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

WindowsFile Event
TA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
François Hubaut+1Sat Jul 30windows
Detectionhightest

HackTool - Powerup Write Hijack DLL

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

WindowsFile Event
TA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Subhash PopuriSat Aug 21windows
Detectionmediumtest

Potential Initial Access via DLL Search Order Hijacking

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

WindowsFile Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1566 · PhishingT1566.001 · Spearphishing Attachment+4
Tim Rauch+1Fri Oct 21windows
Detectionhightest

Malicious DLL File Dropped in the Teams or OneDrive Folder

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded

WindowsFile Event
TA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
François HubautFri Aug 12windows
Detectionmediumtest

Creation of WerFault.exe/Wer.dll in Unusual Folder

Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.

WindowsFile Event
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
François HubautMon May 09windows
Detectionlowtest

Potential Azure Browser SSO Abuse

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Den IuzvykWed Jul 15windows
Detectionmediumexperimental

Unsigned .node File Loaded

Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.

WindowsImage Load (DLL)
TA0002 · ExecutionTA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense Evasion+3
Jonathan BeierleSat Nov 22windows
Detectionlowtest

Potential 7za.DLL Sideloading

Detects potential DLL sideloading of "7za.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__JuniorFri Jun 09windows
Detectionmediumtest

Potential Antivirus Software DLL Sideloading

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Wed Aug 17windows
Detectionhightest

Potential appverifUI.DLL Sideloading

Detects potential DLL sideloading of "appverifUI.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Tue Jun 20windows
Detectionhightest

Aruba Network Service Potential DLL Sideloading

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0004 · Privilege EscalationTA0003 · PersistenceT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Sun Jan 22windows
Detectionmediumtest

Potential AVKkid.DLL Sideloading

Detects potential DLL sideloading of "AVKkid.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Thu Aug 03windows
Detectionmediumtest

Potential CCleanerDU.DLL Sideloading

Detects potential DLL sideloading of "CCleanerDU.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Thu Jul 13windows
Detectionmediumtest

Potential CCleanerReactivator.DLL Sideloading

Detects potential DLL sideloading of "CCleanerReactivator.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__JuniorThu Jul 13windows
Detectionmediumtest

Potential Chrome Frame Helper DLL Sideloading

Detects potential DLL sideloading of "chrome_frame_helper.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Wed Aug 17windows
Detectionmediumtest

Potential DLL Sideloading Via ClassicExplorer32.dll

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
François HubautTue Dec 13windows
Detectionhightest

Potential DLL Sideloading Via comctl32.dll

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Fri Dec 16windows
Detectionhightest

System Control Panel Item Loaded From Uncommon Location

Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Anish BogatiTue Jan 09windows
Detectionmediumtest

Potential DLL Sideloading Of DBGCORE.DLL

Detects DLL sideloading of "dbgcore.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Tue Oct 25windows
Detectionmediumtest

Potential DLL Sideloading Of DBGHELP.DLL

Detects potential DLL sideloading of "dbghelp.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Tue Oct 25windows
Detectionmediumtest

Potential DLL Sideloading Of DbgModel.DLL

Detects potential DLL sideloading of "DbgModel.dll"

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Gary LobermierThu Jul 11windows
Detectionhightest

Potential EACore.DLL Sideloading

Detects potential DLL sideloading of "EACore.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Thu Aug 03windows
Detectionhightest

Potential Edputil.DLL Sideloading

Detects potential DLL sideloading of "edputil.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Fri Jun 09windows
Detectionhightest

Potential System DLL Sideloading From Non System Locations

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Sun Aug 14windows
Detectionmediumtest

Potential Goopdate.DLL Sideloading

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)+1Mon May 15windows
Detectionmediumtest

Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Fri May 05windows
Detectionhightest

Potential Iviewers.DLL Sideloading

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Tue Mar 21windows
Detectionhighexperimental

Potential JLI.dll Side-Loading

Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Swachchhanda Shrawan Poudel (Nextron Systems)Fri Jul 25windows
Detectionmediumtest

Potential DLL Sideloading Via JsSchHlp

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
François HubautWed Dec 14windows
Detectionhightest

Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE

Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Swachchhanda Shrawan PoudelMon Apr 15windows
Detectionmediumtest

Potential Libvlc.DLL Sideloading

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__JuniorMon Apr 17windows
Detectionmediumtest

Potential Mfdetours.DLL Sideloading

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Thu Aug 03windows
Detectionhightest

Unsigned Mfdetours.DLL Sideloading

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Fri Aug 11windows
Detectionmediumtest

Potential DLL Sideloading Of MpSvc.DLL

Detects potential DLL sideloading of "MpSvc.dll".

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Thu Jul 11windows
Detectionmediumtest

Potential DLL Sideloading Of MsCorSvc.DLL

Detects potential DLL sideloading of "mscorsvc.dll".

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Wietze BeukemaThu Jul 11windows
Detectionhightest

Potential DLL Sideloading Of Non-Existent DLLs From System Folders

Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Fri Dec 09windows
Detectionhightest

Microsoft Office DLL Sideload

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Wed Aug 17windows
Detectionmediumtest

Potential Python DLL SideLoading

Detects potential DLL sideloading of Python DLL files.

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Swachchhanda Shrawan PoudelSun Oct 06windows
Detectionhightest

Potential Rcdll.DLL Sideloading

Detects potential DLL sideloading of rcdll.dll

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Mon Mar 13windows
Detectionmediumtest

Potential RjvPlatform.DLL Sideloading From Default Location

Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Fri Jun 09windows
Detectionhightest

Potential RjvPlatform.DLL Sideloading From Non-Default Location

Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Fri Jun 09windows
12