detection.wiki

Detection rules › Sigma

Third Party Software DLL Sideloading

Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
Source
upstream

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1574.001 Hijack Execution Flow: DLL
Privilege EscalationT1574.001 Hijack Execution Flow: DLL
Defense EvasionT1574.001 Hijack Execution Flow: DLL

Event coverage

ProviderEvent IDTitle
Sysmon7Image loaded

Stages and Predicates

Stage 1: selection_lenovo

ImageLoaded|endswith: '\commfunc.dll'

Stage 2: not filter_lenovo

or:
ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
ImageLoaded|startswith: 'C:\Program Files (x86)\Lenovo\Communications Utility\'
ImageLoaded|startswith: 'C:\Program Files\Lenovo\Communications Utility\'

Stage 3: selection_toshiba

ImageLoaded|endswith: '\tosbtkbd.dll'

Stage 4: not filter_toshiba

or:
ImageLoaded|startswith: 'C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\'
ImageLoaded|startswith: 'C:\Program Files\Toshiba\Bluetooth Toshiba Stack\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ImageLoadedends_with
  • \commfunc.dll
  • \tosbtkbd.dll
ImageLoadedmatch
  • \AppData\local\Google\Chrome\Application\ corpus 2 (sigma 2)
ImageLoadedstarts_with
  • C:\Program Files (x86)\Lenovo\Communications Utility\
  • C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\
  • C:\Program Files\Lenovo\Communications Utility\
  • C:\Program Files\Toshiba\Bluetooth Toshiba Stack\