Potential System DLL Sideloading From Non System Locations

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1574.001` Hijack Execution Flow: DLL
Privilege Escalation	`T1574.001` Hijack Execution Flow: DLL
Defense Evasion	`T1574.001` Hijack Execution Flow: DLL

Event coverage

Provider	Event ID	Title
Sysmon	7	Image loaded

Stages and Predicates

Stage 1: `selection`

or:
ImageLoaded|endswith: '\COMRES.DLL'
ImageLoaded|endswith: '\DispBroker.dll'
ImageLoaded|endswith: '\FXSRESM.DLL'
ImageLoaded|endswith: '\FxsCompose.dll'
ImageLoaded|endswith: '\PrintIsolationProxy.dll'
ImageLoaded|endswith: '\TSMSISrv.dll'
ImageLoaded|endswith: '\TSVIPSrv.dll'
ImageLoaded|endswith: '\WLBSCTRL.dll'
ImageLoaded|endswith: '\WfsR.dll'
ImageLoaded|endswith: '\WptsExtensions.dll'
ImageLoaded|endswith: '\aclui.dll'
ImageLoaded|endswith: '\activeds.dll'
ImageLoaded|endswith: '\adsldpc.dll'
ImageLoaded|endswith: '\aepic.dll'
ImageLoaded|endswith: '\amsi.dll'
ImageLoaded|endswith: '\apphelp.dll'
ImageLoaded|endswith: '\applicationframe.dll'
ImageLoaded|endswith: '\appraiser.dll'
ImageLoaded|endswith: '\appvpolicy.dll'
ImageLoaded|endswith: '\appxalluserstore.dll'
ImageLoaded|endswith: '\appxdeploymentclient.dll'
ImageLoaded|endswith: '\archiveint.dll'
ImageLoaded|endswith: '\atl.dll'
ImageLoaded|endswith: '\audioses.dll'
ImageLoaded|endswith: '\auditpolcore.dll'
ImageLoaded|endswith: '\authfwcfg.dll'
ImageLoaded|endswith: '\authz.dll'
ImageLoaded|endswith: '\avrt.dll'
ImageLoaded|endswith: '\batmeter.dll'
ImageLoaded|endswith: '\bcd.dll'
ImageLoaded|endswith: '\bcp47langs.dll'
ImageLoaded|endswith: '\bcp47mrm.dll'
ImageLoaded|endswith: '\bcrypt.dll'
ImageLoaded|endswith: '\bderepair.dll'
ImageLoaded|endswith: '\bootmenuux.dll'
ImageLoaded|endswith: '\bootux.dll'
ImageLoaded|endswith: '\cabinet.dll'
ImageLoaded|endswith: '\cabview.dll'
ImageLoaded|endswith: '\certcli.dll'
ImageLoaded|endswith: '\certenroll.dll'
ImageLoaded|endswith: '\cfgmgr32.dll'
ImageLoaded|endswith: '\cldapi.dll'
ImageLoaded|endswith: '\clipc.dll'
ImageLoaded|endswith: '\clusapi.dll'
ImageLoaded|endswith: '\cmpbk32.dll'
ImageLoaded|endswith: '\cmutil.dll'
ImageLoaded|endswith: '\coloradapterclient.dll'
ImageLoaded|endswith: '\colorui.dll'
ImageLoaded|endswith: '\comdlg32.dll'
ImageLoaded|endswith: '\configmanager2.dll'
ImageLoaded|endswith: '\connect.dll'
ImageLoaded|endswith: '\coredplus.dll'
ImageLoaded|endswith: '\coremessaging.dll'
ImageLoaded|endswith: '\coreuicomponents.dll'
ImageLoaded|endswith: '\credui.dll'
ImageLoaded|endswith: '\cryptbase.dll'
ImageLoaded|endswith: '\cryptdll.dll'
ImageLoaded|endswith: '\cryptnet.dll'
ImageLoaded|endswith: '\cryptsp.dll'
ImageLoaded|endswith: '\cryptui.dll'
ImageLoaded|endswith: '\cryptxml.dll'
ImageLoaded|endswith: '\cscapi.dll'
ImageLoaded|endswith: '\cscobj.dll'
ImageLoaded|endswith: '\cscui.dll'
ImageLoaded|endswith: '\d2d1.dll'
ImageLoaded|endswith: '\d3d10.dll'
ImageLoaded|endswith: '\d3d10_1.dll'
ImageLoaded|endswith: '\d3d10_1core.dll'
ImageLoaded|endswith: '\d3d10core.dll'
ImageLoaded|endswith: '\d3d10warp.dll'
ImageLoaded|endswith: '\d3d11.dll'
ImageLoaded|endswith: '\d3d12.dll'
ImageLoaded|endswith: '\d3d9.dll'
ImageLoaded|endswith: '\d3dx9_43.dll'
ImageLoaded|endswith: '\dataexchange.dll'
ImageLoaded|endswith: '\davclnt.dll'
ImageLoaded|endswith: '\dcntel.dll'
ImageLoaded|endswith: '\dcomp.dll'
ImageLoaded|endswith: '\defragproxy.dll'
ImageLoaded|endswith: '\desktopshellext.dll'
ImageLoaded|endswith: '\deviceassociation.dll'
ImageLoaded|endswith: '\devicecredential.dll'
ImageLoaded|endswith: '\devicepairing.dll'
ImageLoaded|endswith: '\devobj.dll'
ImageLoaded|endswith: '\devrtl.dll'
ImageLoaded|endswith: '\dhcpcmonitor.dll'
ImageLoaded|endswith: '\dhcpcsvc.dll'
ImageLoaded|endswith: '\dhcpcsvc6.dll'
ImageLoaded|endswith: '\directmanipulation.dll'
ImageLoaded|endswith: '\dismapi.dll'
ImageLoaded|endswith: '\dismcore.dll'
ImageLoaded|endswith: '\dmcfgutils.dll'
ImageLoaded|endswith: '\dmcmnutils.dll'
ImageLoaded|endswith: '\dmcommandlineutils.dll'
ImageLoaded|endswith: '\dmenrollengine.dll'
ImageLoaded|endswith: '\dmenterprisediagnostics.dll'
ImageLoaded|endswith: '\dmiso8601utils.dll'
ImageLoaded|endswith: '\dmoleaututils.dll'
ImageLoaded|endswith: '\dmprocessxmlfiltered.dll'
ImageLoaded|endswith: '\dmpushproxy.dll'
ImageLoaded|endswith: '\dmxmlhelputils.dll'
ImageLoaded|endswith: '\dnsapi.dll'
ImageLoaded|endswith: '\dot3api.dll'
ImageLoaded|endswith: '\dot3cfg.dll'
ImageLoaded|endswith: '\dpx.dll'
ImageLoaded|endswith: '\drprov.dll'
ImageLoaded|endswith: '\drvstore.dll'
ImageLoaded|endswith: '\dsclient.dll'
ImageLoaded|endswith: '\dsound.dll'
ImageLoaded|endswith: '\dsparse.dll'
ImageLoaded|endswith: '\dsprop.dll'
ImageLoaded|endswith: '\dsreg.dll'
ImageLoaded|endswith: '\dsrole.dll'
ImageLoaded|endswith: '\dui70.dll'
ImageLoaded|endswith: '\duser.dll'
ImageLoaded|endswith: '\dusmapi.dll'
ImageLoaded|endswith: '\dwmapi.dll'
ImageLoaded|endswith: '\dwmcore.dll'
ImageLoaded|endswith: '\dwrite.dll'
ImageLoaded|endswith: '\dxcore.dll'
ImageLoaded|endswith: '\dxgi.dll'
ImageLoaded|endswith: '\dxilconv.dll'
ImageLoaded|endswith: '\dxva2.dll'
ImageLoaded|endswith: '\dynamoapi.dll'
ImageLoaded|endswith: '\eappcfg.dll'
ImageLoaded|endswith: '\eappprxy.dll'
ImageLoaded|endswith: '\edgeiso.dll'
ImageLoaded|endswith: '\edputil.dll'
ImageLoaded|endswith: '\efsadu.dll'
ImageLoaded|endswith: '\efsutil.dll'
ImageLoaded|endswith: '\esent.dll'
ImageLoaded|endswith: '\execmodelproxy.dll'
ImageLoaded|endswith: '\explorerframe.dll'
ImageLoaded|endswith: '\fastprox.dll'
ImageLoaded|endswith: '\faultrep.dll'
ImageLoaded|endswith: '\fddevquery.dll'
ImageLoaded|endswith: '\feclient.dll'
ImageLoaded|endswith: '\fhcfg.dll'
ImageLoaded|endswith: '\fhsvcctl.dll'
ImageLoaded|endswith: '\firewallapi.dll'
ImageLoaded|endswith: '\flightsettings.dll'
ImageLoaded|endswith: '\fltlib.dll'
ImageLoaded|endswith: '\framedynos.dll'
ImageLoaded|endswith: '\fveapi.dll'
ImageLoaded|endswith: '\fveskybackup.dll'
ImageLoaded|endswith: '\fvewiz.dll'
ImageLoaded|endswith: '\fwbase.dll'
ImageLoaded|endswith: '\fwcfg.dll'
ImageLoaded|endswith: '\fwpolicyiomgr.dll'
ImageLoaded|endswith: '\fwpuclnt.dll'
ImageLoaded|endswith: '\fxsapi.dll'
ImageLoaded|endswith: '\fxsst.dll'
ImageLoaded|endswith: '\fxstiff.dll'
ImageLoaded|endswith: '\getuname.dll'
ImageLoaded|endswith: '\gpapi.dll'
ImageLoaded|endswith: '\hid.dll'
ImageLoaded|endswith: '\hnetmon.dll'
ImageLoaded|endswith: '\httpapi.dll'
ImageLoaded|endswith: '\icmp.dll'
ImageLoaded|endswith: '\idstore.dll'
ImageLoaded|endswith: '\ieadvpack.dll'
ImageLoaded|endswith: '\iedkcs32.dll'
ImageLoaded|endswith: '\iernonce.dll'
ImageLoaded|endswith: '\iertutil.dll'
ImageLoaded|endswith: '\ifmon.dll'
ImageLoaded|endswith: '\ifsutil.dll'
ImageLoaded|endswith: '\igd10iumd64.dll'
ImageLoaded|endswith: '\igd12umd64.dll'
ImageLoaded|endswith: '\igdumdim64.dll'
ImageLoaded|endswith: '\igdusc64.dll'
ImageLoaded|endswith: '\inproclogger.dll'
ImageLoaded|endswith: '\iphlpapi.dll'
ImageLoaded|endswith: '\iri.dll'
ImageLoaded|endswith: '\iscsidsc.dll'
ImageLoaded|endswith: '\iscsium.dll'
ImageLoaded|endswith: '\isv.exe_rsaenh.dll'
ImageLoaded|endswith: '\iumbase.dll'
ImageLoaded|endswith: '\iumsdk.dll'
ImageLoaded|endswith: '\joinutil.dll'
ImageLoaded|endswith: '\kdstub.dll'
ImageLoaded|endswith: '\ksuser.dll'
ImageLoaded|endswith: '\ktmw32.dll'
ImageLoaded|endswith: '\licensemanagerapi.dll'
ImageLoaded|endswith: '\licensingdiagspp.dll'
ImageLoaded|endswith: '\linkinfo.dll'
ImageLoaded|endswith: '\loadperf.dll'
ImageLoaded|endswith: '\lockhostingframework.dll'
ImageLoaded|endswith: '\logoncli.dll'
ImageLoaded|endswith: '\logoncontroller.dll'
ImageLoaded|endswith: '\lpksetupproxyserv.dll'
ImageLoaded|endswith: '\lrwizdll.dll'
ImageLoaded|endswith: '\magnification.dll'
ImageLoaded|endswith: '\maintenanceui.dll'
ImageLoaded|endswith: '\mapistub.dll'
ImageLoaded|endswith: '\mbaexmlparser.dll'
ImageLoaded|endswith: '\mdmdiagnostics.dll'
ImageLoaded|endswith: '\mfc42u.dll'
ImageLoaded|endswith: '\mfcore.dll'
ImageLoaded|endswith: '\mfplat.dll'
ImageLoaded|endswith: '\mi.dll'
ImageLoaded|endswith: '\midimap.dll'
ImageLoaded|endswith: '\mintdh.dll'
ImageLoaded|endswith: '\miutils.dll'
ImageLoaded|endswith: '\mlang.dll'
ImageLoaded|endswith: '\mmdevapi.dll'
ImageLoaded|endswith: '\mobilenetworking.dll'
ImageLoaded|endswith: '\mpr.dll'
ImageLoaded|endswith: '\mprapi.dll'
ImageLoaded|endswith: '\mrmcorer.dll'
ImageLoaded|endswith: '\msacm32.dll'
ImageLoaded|endswith: '\mscms.dll'
ImageLoaded|endswith: '\mscoree.dll'
ImageLoaded|endswith: '\msctf.dll'
ImageLoaded|endswith: '\msctfmonitor.dll'
ImageLoaded|endswith: '\msdrm.dll'
ImageLoaded|endswith: '\msdtcVSp1res.dll'
ImageLoaded|endswith: '\msdtctm.dll'
ImageLoaded|endswith: '\msftedit.dll'
ImageLoaded|endswith: '\msi.dll'
ImageLoaded|endswith: '\msiso.dll'
ImageLoaded|endswith: '\msutb.dll'
ImageLoaded|endswith: '\msvcp110_win.dll'
ImageLoaded|endswith: '\mswb7.dll'
ImageLoaded|endswith: '\mswsock.dll'
ImageLoaded|endswith: '\msxml3.dll'
ImageLoaded|endswith: '\mtxclu.dll'
ImageLoaded|endswith: '\napinsp.dll'
ImageLoaded|endswith: '\ncrypt.dll'
ImageLoaded|endswith: '\ndfapi.dll'
ImageLoaded|endswith: '\netapi32.dll'
ImageLoaded|endswith: '\netid.dll'
ImageLoaded|endswith: '\netiohlp.dll'
ImageLoaded|endswith: '\netjoin.dll'
ImageLoaded|endswith: '\netplwiz.dll'
ImageLoaded|endswith: '\netprofm.dll'
ImageLoaded|endswith: '\netprovfw.dll'
ImageLoaded|endswith: '\netsetupapi.dll'
ImageLoaded|endswith: '\netshell.dll'
ImageLoaded|endswith: '\nettrace.dll'
ImageLoaded|endswith: '\netutils.dll'
ImageLoaded|endswith: '\networkexplorer.dll'
ImageLoaded|endswith: '\newdev.dll'
ImageLoaded|endswith: '\ninput.dll'
ImageLoaded|endswith: '\nlaapi.dll'
ImageLoaded|endswith: '\nlansp_c.dll'
ImageLoaded|endswith: '\npmproxy.dll'
ImageLoaded|endswith: '\nshhttp.dll'
ImageLoaded|endswith: '\nshipsec.dll'
ImageLoaded|endswith: '\nshwfp.dll'
ImageLoaded|endswith: '\ntdsapi.dll'
ImageLoaded|endswith: '\ntlanman.dll'
ImageLoaded|endswith: '\ntlmshared.dll'
ImageLoaded|endswith: '\ntmarta.dll'
ImageLoaded|endswith: '\ntshrui.dll'
ImageLoaded|endswith: '\oleacc.dll'
ImageLoaded|endswith: '\omadmapi.dll'
ImageLoaded|endswith: '\onex.dll'
ImageLoaded|endswith: '\opcservices.dll'
ImageLoaded|endswith: '\osbaseln.dll'
ImageLoaded|endswith: '\osksupport.dll'
ImageLoaded|endswith: '\osuninst.dll'
ImageLoaded|endswith: '\p2p.dll'
ImageLoaded|endswith: '\p2pnetsh.dll'
ImageLoaded|endswith: '\p9np.dll'
ImageLoaded|endswith: '\pcaui.dll'
ImageLoaded|endswith: '\pdh.dll'
ImageLoaded|endswith: '\peerdistsh.dll'
ImageLoaded|endswith: '\pkeyhelper.dll'
ImageLoaded|endswith: '\pla.dll'
ImageLoaded|endswith: '\playsndsrv.dll'
ImageLoaded|endswith: '\pnrpnsp.dll'
ImageLoaded|endswith: '\policymanager.dll'
ImageLoaded|endswith: '\polstore.dll'
ImageLoaded|endswith: '\powrprof.dll'
ImageLoaded|endswith: '\printui.dll'
ImageLoaded|endswith: '\prntvpt.dll'
ImageLoaded|endswith: '\profapi.dll'
ImageLoaded|endswith: '\propsys.dll'
ImageLoaded|endswith: '\proximitycommon.dll'
ImageLoaded|endswith: '\proximityservicepal.dll'
ImageLoaded|endswith: '\prvdmofcomp.dll'
ImageLoaded|endswith: '\puiapi.dll'
ImageLoaded|endswith: '\radcui.dll'
ImageLoaded|endswith: '\rasapi32.dll'
ImageLoaded|endswith: '\rasdlg.dll'
ImageLoaded|endswith: '\rasgcw.dll'
ImageLoaded|endswith: '\rasman.dll'
ImageLoaded|endswith: '\rasmontr.dll'
ImageLoaded|endswith: '\rdpendp.dll'
ImageLoaded|endswith: '\reagent.dll'
ImageLoaded|endswith: '\regapi.dll'
ImageLoaded|endswith: '\reseteng.dll'
ImageLoaded|endswith: '\resetengine.dll'
ImageLoaded|endswith: '\resutils.dll'
ImageLoaded|endswith: '\rmclient.dll'
ImageLoaded|endswith: '\rpchttp.dll'
ImageLoaded|endswith: '\rpcnsh.dll'
ImageLoaded|endswith: '\rsaenh.dll'
ImageLoaded|endswith: '\rtutils.dll'
ImageLoaded|endswith: '\rtworkq.dll'
ImageLoaded|endswith: '\samcli.dll'
ImageLoaded|endswith: '\samlib.dll'
ImageLoaded|endswith: '\sapi_onecore.dll'
ImageLoaded|endswith: '\sas.dll'
ImageLoaded|endswith: '\scansetting.dll'
ImageLoaded|endswith: '\scecli.dll'
ImageLoaded|endswith: '\schedcli.dll'
ImageLoaded|endswith: '\secur32.dll'
ImageLoaded|endswith: '\security.dll'
ImageLoaded|endswith: '\sensapi.dll'
ImageLoaded|endswith: '\shell32.dll'
ImageLoaded|endswith: '\shfolder.dll'
ImageLoaded|endswith: '\slc.dll'
ImageLoaded|endswith: '\snmpapi.dll'
ImageLoaded|endswith: '\spectrumsyncclient.dll'
ImageLoaded|endswith: '\spp.dll'
ImageLoaded|endswith: '\sppc.dll'
ImageLoaded|endswith: '\sppcext.dll'
ImageLoaded|endswith: '\srclient.dll'
ImageLoaded|endswith: '\srcore.dll'
ImageLoaded|endswith: '\srmtrace.dll'
ImageLoaded|endswith: '\srpapi.dll'
ImageLoaded|endswith: '\srvcli.dll'
ImageLoaded|endswith: '\ssp.exe_rsaenh.dll'
ImageLoaded|endswith: '\ssp_isv.exe_rsaenh.dll'
ImageLoaded|endswith: '\sspicli.dll'
ImageLoaded|endswith: '\ssshim.dll'
ImageLoaded|endswith: '\staterepository.core.dll'
ImageLoaded|endswith: '\storageusage.dll'
ImageLoaded|endswith: '\structuredquery.dll'
ImageLoaded|endswith: '\sxshared.dll'
ImageLoaded|endswith: '\systemsettingsthresholdadminflowui.dll'
ImageLoaded|endswith: '\tapi32.dll'
ImageLoaded|endswith: '\tbs.dll'
ImageLoaded|endswith: '\tdh.dll'
ImageLoaded|endswith: '\textshaping.dll'
ImageLoaded|endswith: '\timesync.dll'
ImageLoaded|endswith: '\tpmcoreprovisioning.dll'
ImageLoaded|endswith: '\tquery.dll'
ImageLoaded|endswith: '\tsworkspace.dll'
ImageLoaded|endswith: '\ttdrecord.dll'
ImageLoaded|endswith: '\twext.dll'
ImageLoaded|endswith: '\twinapi.dll'
ImageLoaded|endswith: '\twinui.appcore.dll'
ImageLoaded|endswith: '\uianimation.dll'
ImageLoaded|endswith: '\uiautomationcore.dll'
ImageLoaded|endswith: '\uireng.dll'
ImageLoaded|endswith: '\uiribbon.dll'
ImageLoaded|endswith: '\umpdc.dll'
ImageLoaded|endswith: '\unattend.dll'
ImageLoaded|endswith: '\updatepolicy.dll'
ImageLoaded|endswith: '\upshared.dll'
ImageLoaded|endswith: '\urlmon.dll'
ImageLoaded|endswith: '\userenv.dll'
ImageLoaded|endswith: '\utcutil.dll'
ImageLoaded|endswith: '\utildll.dll'
ImageLoaded|endswith: '\uxinit.dll'
ImageLoaded|endswith: '\uxtheme.dll'
ImageLoaded|endswith: '\vaultcli.dll'
ImageLoaded|endswith: '\vdsutil.dll'
ImageLoaded|endswith: '\version.dll'
ImageLoaded|endswith: '\virtdisk.dll'
ImageLoaded|endswith: '\vssapi.dll'
ImageLoaded|endswith: '\vsstrace.dll'
ImageLoaded|endswith: '\wbemcomn.dll'
ImageLoaded|endswith: '\wbemprox.dll'
ImageLoaded|endswith: '\wbemsvc.dll'
ImageLoaded|endswith: '\wcmapi.dll'
ImageLoaded|endswith: '\wcnnetsh.dll'
ImageLoaded|endswith: '\wdi.dll'
ImageLoaded|endswith: '\wdscore.dll'
ImageLoaded|endswith: '\webservices.dll'
ImageLoaded|endswith: '\wecapi.dll'
ImageLoaded|endswith: '\wer.dll'
ImageLoaded|endswith: '\wevtapi.dll'
ImageLoaded|endswith: '\whhelper.dll'
ImageLoaded|endswith: '\wimgapi.dll'
ImageLoaded|endswith: '\winbio.dll'
ImageLoaded|endswith: '\winbrand.dll'
ImageLoaded|endswith: '\windows.storage.dll'
ImageLoaded|endswith: '\windows.storage.search.dll'
ImageLoaded|endswith: '\windows.ui.immersive.dll'
ImageLoaded|endswith: '\windowscodecs.dll'
ImageLoaded|endswith: '\windowscodecsext.dll'
ImageLoaded|endswith: '\windowsudk.shellcommon.dll'
ImageLoaded|endswith: '\winhttp.dll'
ImageLoaded|endswith: '\wininet.dll'
ImageLoaded|endswith: '\winipsec.dll'
ImageLoaded|endswith: '\winmde.dll'
ImageLoaded|endswith: '\winmm.dll'
ImageLoaded|endswith: '\winnsi.dll'
ImageLoaded|endswith: '\winrnr.dll'
ImageLoaded|endswith: '\winscard.dll'
ImageLoaded|endswith: '\winsqlite3.dll'
ImageLoaded|endswith: '\winsta.dll'
ImageLoaded|endswith: '\winsync.dll'
ImageLoaded|endswith: '\wkscli.dll'
ImageLoaded|endswith: '\wlanapi.dll'
ImageLoaded|endswith: '\wlancfg.dll'
ImageLoaded|endswith: '\wldp.dll'
ImageLoaded|endswith: '\wlidprov.dll'
ImageLoaded|endswith: '\wmiclnt.dll'
ImageLoaded|endswith: '\wmidcom.dll'
ImageLoaded|endswith: '\wmiutils.dll'
ImageLoaded|endswith: '\wmpdui.dll'
ImageLoaded|endswith: '\wmsgapi.dll'
ImageLoaded|endswith: '\wofutil.dll'
ImageLoaded|endswith: '\wow64log.dll'
ImageLoaded|endswith: '\wpdshext.dll'
ImageLoaded|endswith: '\wscapi.dll'
ImageLoaded|endswith: '\wsdapi.dll'
ImageLoaded|endswith: '\wshbth.dll'
ImageLoaded|endswith: '\wshelper.dll'
ImageLoaded|endswith: '\wsmsvc.dll'
ImageLoaded|endswith: '\wtsapi32.dll'
ImageLoaded|endswith: '\wwancfg.dll'
ImageLoaded|endswith: '\wwapi.dll'
ImageLoaded|endswith: '\xmllite.dll'
ImageLoaded|endswith: '\xolehlp.dll'
ImageLoaded|endswith: '\xpsservices.dll'
ImageLoaded|endswith: '\xwizards.dll'
ImageLoaded|endswith: '\xwtpw32.dll'

Stage 2: `not 1 of filter_main_*`

or:
or:
Image|endswith: '\TiWorker.exe'
Image|endswith: '\wuaucltcore.exe'
or:
Image|startswith: 'C:\Windows\UUS\arm64\'
Image|startswith: 'C:\Windows\WinSxS\arm64'
ImageLoaded|startswith: 'C:\Windows\Temp\'
ImageLoaded|endswith: '\cscui.dll'
ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
ImageLoaded|endswith: '\d3dx9_43.dll'
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
ImageLoaded|endswith: '\version.dll'
ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ImageLoaded|contains: 'C:\$WINDOWS.~BT\'
ImageLoaded|contains: 'C:\$WinREAgent\'
ImageLoaded|contains: 'C:\Windows\SoftwareDistribution\'
ImageLoaded|contains: 'C:\Windows\SyChpe32\'
ImageLoaded|contains: 'C:\Windows\SysWOW64\'
ImageLoaded|contains: 'C:\Windows\System32\'
ImageLoaded|contains: 'C:\Windows\SystemTemp\'
ImageLoaded|contains: 'C:\Windows\WinSxS\'

Stage 3: `not 1 of filter_optional_*`

or:
or:
Image|contains: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
Image|contains: 'C:\Windows\System32\backgroundTaskHost.exe'
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
or:
Image|startswith: 'C:\Program Files (x86)\CheckPoint\'
Image|startswith: 'C:\Program Files\CheckPoint\'
or:
ImageLoaded|startswith: 'C:\Program Files (x86)\CheckPoint\'
ImageLoaded|startswith: 'C:\Program Files\CheckPoint\'
Image|endswith: '\SmartConsole.exe'
ImageLoaded|endswith: '\PolicyManager.dll'
or:
ImageLoaded|endswith: '\mi.dll'
ImageLoaded|endswith: '\miutils.dl'
ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
Image|endswith: '\wldp.dll'
Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
ImageLoaded|endswith: '\mswb7.dll'
ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\SmartConsole.exe` `\TiWorker.exe` corpus 7 (sigma 7) `\wldp.dll` `\wuaucltcore.exe` corpus 2 (sigma 2)
`Image`	eq	`C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe`
`Image`	match	`C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs` `C:\Windows\System32\backgroundTaskHost.exe`
`Image`	starts_with	`C:\Program Files (x86)\CheckPoint\` `C:\Program Files\CheckPoint\` `C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs` `C:\Windows\UUS\arm64\` `C:\Windows\WinSxS\arm64`
`ImageLoaded`	ends_with	`\COMRES.DLL` `\DispBroker.dll` `\FXSRESM.DLL` `\FxsCompose.dll` `\PolicyManager.dll` `\PrintIsolationProxy.dll` `\TSMSISrv.dll` `\TSVIPSrv.dll` `\WLBSCTRL.dll` `\WfsR.dll` `\WptsExtensions.dll` `\aclui.dll` `\activeds.dll` `\adsldpc.dll` `\aepic.dll` `\amsi.dll` corpus 2 (sigma 2) `\apphelp.dll` `\applicationframe.dll` `\appraiser.dll` `\appvpolicy.dll` `\appxalluserstore.dll` `\appxdeploymentclient.dll` `\archiveint.dll` `\atl.dll` `\audioses.dll` `\auditpolcore.dll` `\authfwcfg.dll` `\authz.dll` `\avrt.dll` `\batmeter.dll` `\bcd.dll` `\bcp47langs.dll` `\bcp47mrm.dll` `\bcrypt.dll` `\bderepair.dll` `\bootmenuux.dll` `\bootux.dll` `\cabinet.dll` `\cabview.dll` `\certcli.dll` `\certenroll.dll` `\cfgmgr32.dll` `\cldapi.dll` `\clipc.dll` `\clusapi.dll` `\cmpbk32.dll` `\cmutil.dll` `\coloradapterclient.dll` `\colorui.dll` `\comdlg32.dll` `\configmanager2.dll` `\connect.dll` `\coredplus.dll` `\coremessaging.dll` `\coreuicomponents.dll` `\credui.dll` corpus 2 (sigma 2) `\cryptbase.dll` corpus 2 (sigma 2) `\cryptdll.dll` `\cryptnet.dll` `\cryptsp.dll` corpus 2 (sigma 2) `\cryptui.dll` `\cryptxml.dll` `\cscapi.dll` `\cscobj.dll` `\cscui.dll` `\d2d1.dll` `\d3d10.dll` `\d3d10_1.dll` `\d3d10_1core.dll` `\d3d10core.dll` `\d3d10warp.dll` `\d3d11.dll` `\d3d12.dll` `\d3d9.dll` `\d3dx9_43.dll` `\dataexchange.dll` `\davclnt.dll` `\dcntel.dll` `\dcomp.dll` `\defragproxy.dll` `\desktopshellext.dll` `\deviceassociation.dll` `\devicecredential.dll` `\devicepairing.dll` `\devobj.dll` `\devrtl.dll` `\dhcpcmonitor.dll` `\dhcpcsvc.dll` `\dhcpcsvc6.dll` `\directmanipulation.dll` `\dismapi.dll` `\dismcore.dll` corpus 2 (sigma 2) `\dmcfgutils.dll` `\dmcmnutils.dll` `\dmcommandlineutils.dll` `\dmenrollengine.dll` `\dmenterprisediagnostics.dll` `\dmiso8601utils.dll` `\dmoleaututils.dll` `\dmprocessxmlfiltered.dll` `\dmpushproxy.dll` `\dmxmlhelputils.dll` `\dnsapi.dll` `\dot3api.dll` `\dot3cfg.dll` `\dpx.dll` `\drprov.dll` `\drvstore.dll` `\dsclient.dll` `\dsound.dll` `\dsparse.dll` `\dsprop.dll` `\dsreg.dll` `\dsrole.dll` `\dui70.dll` `\duser.dll` `\dusmapi.dll` `\dwmapi.dll` `\dwmcore.dll` `\dwrite.dll` `\dxcore.dll` `\dxgi.dll` `\dxilconv.dll` `\dxva2.dll` `\dynamoapi.dll` `\eappcfg.dll` `\eappprxy.dll` `\edgeiso.dll` `\edputil.dll` corpus 2 (sigma 2) `\efsadu.dll` `\efsutil.dll` `\esent.dll` `\execmodelproxy.dll` `\explorerframe.dll` `\fastprox.dll` `\faultrep.dll` `\fddevquery.dll` `\feclient.dll` `\fhcfg.dll` `\fhsvcctl.dll` `\firewallapi.dll` `\flightsettings.dll` `\fltlib.dll` `\framedynos.dll` `\fveapi.dll` `\fveskybackup.dll` `\fvewiz.dll` `\fwbase.dll` `\fwcfg.dll` `\fwpolicyiomgr.dll` `\fwpuclnt.dll` `\fxsapi.dll` `\fxsst.dll` `\fxstiff.dll` `\getuname.dll` `\gpapi.dll` `\hid.dll` `\hnetmon.dll` `\httpapi.dll` `\icmp.dll` `\idstore.dll` `\ieadvpack.dll` `\iedkcs32.dll` `\iernonce.dll` `\iertutil.dll` `\ifmon.dll` `\ifsutil.dll` `\igd10iumd64.dll` `\igd12umd64.dll` `\igdumdim64.dll` `\igdusc64.dll` `\inproclogger.dll` `\iphlpapi.dll` corpus 2 (sigma 2) `\iri.dll` `\iscsidsc.dll` `\iscsium.dll` `\isv.exe_rsaenh.dll` `\iumbase.dll` `\iumsdk.dll` `\joinutil.dll` `\kdstub.dll` `\ksuser.dll` `\ktmw32.dll` `\licensemanagerapi.dll` `\licensingdiagspp.dll` `\linkinfo.dll` `\loadperf.dll` `\lockhostingframework.dll` `\logoncli.dll` `\logoncontroller.dll` `\lpksetupproxyserv.dll` `\lrwizdll.dll` `\magnification.dll` `\maintenanceui.dll` `\mapistub.dll` `\mbaexmlparser.dll` `\mdmdiagnostics.dll` `\mfc42u.dll` `\mfcore.dll` `\mfplat.dll` `\mi.dll` `\midimap.dll` `\mintdh.dll` `\miutils.dl` `\miutils.dll` `\mlang.dll` `\mmdevapi.dll` `\mobilenetworking.dll` `\mpr.dll` `\mprapi.dll` `\mrmcorer.dll` `\msacm32.dll` `\mscms.dll` `\mscoree.dll` corpus 2 (sigma 2) `\msctf.dll` `\msctfmonitor.dll` `\msdrm.dll` `\msdtcVSp1res.dll` `\msdtctm.dll` `\msftedit.dll` `\msi.dll` `\msiso.dll` `\msutb.dll` `\msvcp110_win.dll` `\mswb7.dll` `\mswsock.dll` `\msxml3.dll` `\mtxclu.dll` `\napinsp.dll` `\ncrypt.dll` `\ndfapi.dll` `\netapi32.dll` `\netid.dll` `\netiohlp.dll` `\netjoin.dll` `\netplwiz.dll` `\netprofm.dll` `\netprovfw.dll` `\netsetupapi.dll` `\netshell.dll` `\nettrace.dll` `\netutils.dll` `\networkexplorer.dll` `\newdev.dll` `\ninput.dll` `\nlaapi.dll` `\nlansp_c.dll` `\npmproxy.dll` `\nshhttp.dll` `\nshipsec.dll` `\nshwfp.dll` `\ntdsapi.dll` `\ntlanman.dll` `\ntlmshared.dll` `\ntmarta.dll` `\ntshrui.dll` `\oleacc.dll` `\omadmapi.dll` `\onex.dll` `\opcservices.dll` `\osbaseln.dll` `\osksupport.dll` `\osuninst.dll` `\p2p.dll` `\p2pnetsh.dll` `\p9np.dll` `\pcaui.dll` `\pdh.dll` `\peerdistsh.dll` `\pkeyhelper.dll` `\pla.dll` `\playsndsrv.dll` `\pnrpnsp.dll` `\policymanager.dll` `\polstore.dll` `\powrprof.dll` `\printui.dll` `\prntvpt.dll` `\profapi.dll` corpus 2 (sigma 2) `\propsys.dll` `\proximitycommon.dll` `\proximityservicepal.dll` `\prvdmofcomp.dll` `\puiapi.dll` `\radcui.dll` `\rasapi32.dll` `\rasdlg.dll` `\rasgcw.dll` `\rasman.dll` `\rasmontr.dll` `\rdpendp.dll` `\reagent.dll` `\regapi.dll` `\reseteng.dll` `\resetengine.dll` `\resutils.dll` `\rmclient.dll` `\rpchttp.dll` `\rpcnsh.dll` `\rsaenh.dll` `\rtutils.dll` `\rtworkq.dll` `\samcli.dll` `\samlib.dll` `\sapi_onecore.dll` `\sas.dll` `\scansetting.dll` `\scecli.dll` `\schedcli.dll` `\secur32.dll` `\security.dll` `\sensapi.dll` `\shell32.dll` `\shfolder.dll` `\slc.dll` `\snmpapi.dll` `\spectrumsyncclient.dll` `\spp.dll` `\sppc.dll` `\sppcext.dll` `\srclient.dll` `\srcore.dll` `\srmtrace.dll` `\srpapi.dll` `\srvcli.dll` `\ssp.exe_rsaenh.dll` `\ssp_isv.exe_rsaenh.dll` `\sspicli.dll` corpus 2 (sigma 2) `\ssshim.dll` `\staterepository.core.dll` `\storageusage.dll` `\structuredquery.dll` `\sxshared.dll` `\systemsettingsthresholdadminflowui.dll` `\tapi32.dll` `\tbs.dll` `\tdh.dll` `\textshaping.dll` `\timesync.dll` `\tpmcoreprovisioning.dll` `\tquery.dll` `\tsworkspace.dll` `\ttdrecord.dll` corpus 2 (sigma 2) `\twext.dll` `\twinapi.dll` `\twinui.appcore.dll` `\uianimation.dll` `\uiautomationcore.dll` `\uireng.dll` `\uiribbon.dll` `\umpdc.dll` `\unattend.dll` `\updatepolicy.dll` `\upshared.dll` `\urlmon.dll` `\userenv.dll` `\utcutil.dll` `\utildll.dll` `\uxinit.dll` `\uxtheme.dll` `\vaultcli.dll` `\vdsutil.dll` `\version.dll` corpus 2 (sigma 2) `\virtdisk.dll` `\vssapi.dll` corpus 2 (sigma 2) `\vsstrace.dll` corpus 2 (sigma 2) `\wbemcomn.dll` `\wbemprox.dll` `\wbemsvc.dll` `\wcmapi.dll` `\wcnnetsh.dll` `\wdi.dll` `\wdscore.dll` `\webservices.dll` `\wecapi.dll` `\wer.dll` `\wevtapi.dll` `\whhelper.dll` `\wimgapi.dll` `\winbio.dll` `\winbrand.dll` `\windows.storage.dll` `\windows.storage.search.dll` `\windows.ui.immersive.dll` `\windowscodecs.dll` `\windowscodecsext.dll` `\windowsudk.shellcommon.dll` `\winhttp.dll` `\wininet.dll` corpus 2 (sigma 2) `\winipsec.dll` `\winmde.dll` `\winmm.dll` `\winnsi.dll` `\winrnr.dll` `\winscard.dll` `\winsqlite3.dll` `\winsta.dll` corpus 2 (sigma 2) `\winsync.dll` `\wkscli.dll` `\wlanapi.dll` `\wlancfg.dll` `\wldp.dll` corpus 2 (sigma 2) `\wlidprov.dll` `\wmiclnt.dll` `\wmidcom.dll` `\wmiutils.dll` `\wmpdui.dll` `\wmsgapi.dll` `\wofutil.dll` `\wow64log.dll` `\wpdshext.dll` `\wscapi.dll` `\wsdapi.dll` `\wshbth.dll` `\wshelper.dll` `\wsmsvc.dll` `\wtsapi32.dll` corpus 2 (sigma 2) `\wwancfg.dll` `\wwapi.dll` `\xmllite.dll` `\xolehlp.dll` `\xpsservices.dll` `\xwizards.dll` `\xwtpw32.dll`
`ImageLoaded`	eq	`C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll`
`ImageLoaded`	match	`C:\$WINDOWS.~BT\` `C:\$WinREAgent\` `C:\Windows\SoftwareDistribution\` `C:\Windows\SyChpe32\` `C:\Windows\SysWOW64\` `C:\Windows\System32\` `C:\Windows\SystemTemp\` `C:\Windows\WinSxS\`
`ImageLoaded`	starts_with	`C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\` `C:\Program Files (x86)\CheckPoint\` `C:\Program Files\Arsenal-Image-Mounter-` `C:\Program Files\CheckPoint\` `C:\Program Files\Microsoft\Exchange Server\` `C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs` `C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_` `C:\ProgramData\Microsoft\Windows Defender\Platform\` corpus 2 (sigma 2) `C:\Windows\Microsoft.NET\` `C:\Windows\Temp\`