Potential Antivirus Software DLL Sideloading

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
Source: upstream

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1574.001` Hijack Execution Flow: DLL
Privilege Escalation	`T1574.001` Hijack Execution Flow: DLL
Defense Evasion	`T1574.001` Hijack Execution Flow: DLL

Event coverage

Provider	Event ID	Title
Sysmon	7	Image loaded

Stages and Predicates

Stage 1: `selection_bitdefender`

ImageLoaded|endswith: '\log.dll'

Stage 2: `not 1 of filter_log_dll_*`

or:
ImageLoaded: ['C:\Program Files\Dell\SARemediation\audit\log.dll', 'C:\Program Files\Dell\SARemediation\plugin\log.dll']
Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
ImageLoaded: 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
ImageLoaded: 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
ImageLoaded: 'C:\Program Files\AVAST Software\Avast\log.dll'
ImageLoaded: 'C:\Program Files\AVG\Antivirus\log.dll'
ImageLoaded|startswith: 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
ImageLoaded|startswith: 'C:\Program Files\Bitdefender Antivirus Free\'
ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'

Stage 3: `selection_fsecure`

ImageLoaded|endswith: '\qrt.dll'

Stage 4: `not filter_fsecure`

or:
ImageLoaded|startswith: 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
ImageLoaded|startswith: 'C:\Program Files\F-Secure\Anti-Virus\'

Stage 5: `selection_mcafee`

or:
ImageLoaded|endswith: '\ashldres.dll'
ImageLoaded|endswith: '\lockdown.dll'
ImageLoaded|endswith: '\vsodscpl.dll'

Stage 6: `not filter_mcafee`

or:
ImageLoaded|startswith: 'C:\Program Files (x86)\McAfee\'
ImageLoaded|startswith: 'C:\Program Files\McAfee\'

Stage 7: `selection_cyberark`

ImageLoaded|endswith: '\vftrace.dll'

Stage 8: `not filter_cyberark`

or:
ImageLoaded|startswith: 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
ImageLoaded|startswith: 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'

Stage 9: `selection_avast`

ImageLoaded|endswith: '\wsc.dll'

Stage 10: `not 1 of filter_wsc_dll_*`

or:
ImageLoaded|startswith: 'C:\Program Files (x86)\AVG\Antivirus\'
ImageLoaded|startswith: 'C:\Program Files\AVG\Antivirus\'
ImageLoaded|startswith: 'C:\program Files (x86)\AVAST Software\Avast\'
ImageLoaded|startswith: 'C:\program Files\AVAST Software\Avast\'

Stage 11: `selection_titanium`

ImageLoaded|endswith: '\tmdbglog.dll'

Stage 12: `not filter_titanium`

or:
ImageLoaded|startswith: 'C:\program Files (x86)\Trend Micro\Titanium\'
ImageLoaded|startswith: 'C:\program Files\Trend Micro\Titanium\'

Stage 13: `selection_eset_deslock`

ImageLoaded|endswith: '\DLPPREM32.dll'

Stage 14: `not filter_eset_deslock`

or:
ImageLoaded|startswith: 'C:\program Files (x86)\ESET'
ImageLoaded|startswith: 'C:\program Files\ESET'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	eq	`C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe`
`ImageLoaded`	ends_with	`\DLPPREM32.dll` `\ashldres.dll` `\lockdown.dll` `\log.dll` `\qrt.dll` `\tmdbglog.dll` `\vftrace.dll` `\vsodscpl.dll` `\wsc.dll`
`ImageLoaded`	eq	`C:\Program Files (x86)\AVAST Software\Avast\log.dll` `C:\Program Files (x86)\AVG\Antivirus\log.dll` `C:\Program Files\AVAST Software\Avast\log.dll` `C:\Program Files\AVG\Antivirus\log.dll` `C:\Program Files\Dell\SARemediation\audit\log.dll` `C:\Program Files\Dell\SARemediation\plugin\log.dll`
`ImageLoaded`	starts_with	`C:\Program Files (x86)\AVG\Antivirus\` `C:\Program Files (x86)\Bitdefender Antivirus Free\` `C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\` `C:\Program Files (x86)\F-Secure\Anti-Virus\` `C:\Program Files (x86)\McAfee\` `C:\Program Files\AVG\Antivirus\` `C:\Program Files\Bitdefender Antivirus Free\` `C:\Program Files\Canon\MyPrinter\` `C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\` `C:\Program Files\F-Secure\Anti-Virus\` `C:\Program Files\McAfee\` `C:\program Files (x86)\AVAST Software\Avast\` `C:\program Files (x86)\ESET` `C:\program Files (x86)\Trend Micro\Titanium\` `C:\program Files\AVAST Software\Avast\` `C:\program Files\ESET` `C:\program Files\Trend Micro\Titanium\`

Potential Antivirus Software DLL Sideloading

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: selection_bitdefender

Stage 2: not 1 of filter_log_dll_*

Stage 3: selection_fsecure

Stage 4: not filter_fsecure

Stage 5: selection_mcafee

Stage 6: not filter_mcafee

Stage 7: selection_cyberark

Stage 8: not filter_cyberark

Stage 9: selection_avast

Stage 10: not 1 of filter_wsc_dll_*

Stage 11: selection_titanium

Stage 12: not filter_titanium

Stage 13: selection_eset_deslock

Stage 14: not filter_eset_deslock