Merge PR #5837 from @swachchhanda000 - Add Potential Vcruntime140 DLL Sideloading

new: Potential Vcruntime140 DLL Sideloading

regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/d7a63acb-1284-49bc-bfea-7771146c8b1c.json

@@ -0,0 +1,59 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 7,
+      "Version": 3,
+      "Level": 4,
+      "Task": 7,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-01-12T07:51:17.415898Z"
+        }
+      },
+      "EventRecordID": 91509,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4048,
+          "ThreadID": 4752
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-01-12 07:51:17.273",
+      "ProcessGuid": "0197231E-A7F4-6964-850A-000000000D00",
+      "ProcessId": 20204,
+      "Image": "C:\\Users\\xodih\\AppData\\Local\\Temp\\sqlwriter.exe",
+      "ImageLoaded": "C:\\Users\\xodih\\AppData\\Local\\Temp\\vcruntime140.dll",
+      "FileVersion": "-",
+      "Description": "-",
+      "Product": "-",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "Hashes": "MD5=6349C0AF16BBD22B44BCBBE25C19D82D,SHA256=E7801D25E1A0AA8FFA929D76C31CC604BBB2404F7B8396F0BF3DE325E034E257,IMPHASH=376F17C483A08D322404D3C4A8F0A5CE",
+      "Signed": "false",
+      "Signature": "-",
+      "SignatureStatus": "Unavailable",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml

@@ -0,0 +1,13 @@
+id: ab5d5d49-1f76-4287-ae73-903ed8cca111
+description: N/A
+date: 2026-01-12
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: d7a63acb-1284-49bc-bfea-7771146c8b1c
+      title: Potential Vcruntime140 DLL Sideloading
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/d7a63acb-1284-49bc-bfea-7771146c8b1c.evtx

rules/windows/image_load/image_load_side_load_vcruntime140.yml

@@ -0,0 +1,39 @@
+title: Potential Vcruntime140 DLL Sideloading
+id: d7a63acb-1284-49bc-bfea-7771146c8b1c
+status: experimental
+description: |
+    Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
+    Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
+    Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
+references:
+    - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
+    - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
+    - https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-01-12
+tags:
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.privilege-escalation
+    - attack.t1574.001
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith: '\vcruntime140.dll'
+    filter_main_legitimate_path:
+        ImageLoaded|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+    filter_main_legitimate_signer:
+        Signed: true
+        SignatureStatus: 'Valid'
+        Description: 'Microsoft® C Runtime Library'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high
+regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml