From 3a0fbc4bfa4b88f41492ed687e0ad2e1b9acbe65 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Tue, 28 Apr 2026 03:40:25 +0545 Subject: [PATCH] Merge PR #5837 from @swachchhanda000 - Add `Potential Vcruntime140 DLL Sideloading` new: Potential Vcruntime140 DLL Sideloading --- .../d7a63acb-1284-49bc-bfea-7771146c8b1c.evtx | Bin 0 -> 69632 bytes .../d7a63acb-1284-49bc-bfea-7771146c8b1c.json | 59 ++++++++++++++++++ .../info.yml | 13 ++++ .../image_load_side_load_vcruntime140.yml | 39 ++++++++++++ 4 files changed, 111 insertions(+) create mode 100644 regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/d7a63acb-1284-49bc-bfea-7771146c8b1c.evtx create mode 100644 regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/d7a63acb-1284-49bc-bfea-7771146c8b1c.json create mode 100644 regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml create mode 100644 rules/windows/image_load/image_load_side_load_vcruntime140.yml diff --git a/regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/d7a63acb-1284-49bc-bfea-7771146c8b1c.evtx b/regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/d7a63acb-1284-49bc-bfea-7771146c8b1c.evtx new file mode 100644 index 0000000000000000000000000000000000000000..593d4c7793599353e154ba6eeb0f3b69282f2846 GIT binary patch literal 69632 zcmeI0S!`5g6vxlKGjltgc4k^l6%~-pg~pb)w6v_I+W?_OHboPHsZ0xnc3Nr6B8ed) zF`B6OU^L-{@PZ`97ostQ#AxCxnn>ajV>G^KVoXqp3lHP}f0u3o4dCPd-rPIia=!DO z?|063zT0*V^yT^odTsjUh7CvY>srjL!kI2|+x6DJudcamB~l;)A|L`HAOa#F0wN#+ zA|L`HAOa#VBZ1C=zV*c{I+ zl{EW3VfIsea*tU9+E?S>5I1{WoMFt%n3LBW%*pG|Q2yPpooy%4);G$C&bYXuuc{Uto! z-mvpRHerWs&<4;sf{ujKWP2bsYQwg|mf#+-U1;frOb^Pn`0Yo_ej7q<$oe2zi~11S zm)Jq{74X|&b+{W*sfW5`j>;%`#687g{!tRKto_e~(WOx!#-6EiRFl-U9_M3FwL zw8WkW#ri?2fIc@@v z=-50|xCMBCh&Y`?O$l3sO0;wKewMTi=spa;4S{1G+$ox{syMK3LgkH6 zl?oFn}(~L&nF$UBsALbtE;#gV7-1@vJiDq!29=xg-}$PoljA3TZMe z3CO#dl%;6PaSVzQ!s*}2tlbx*9Rt245!M}$%jLoyp1Pc}R%jfB;f$71tTfP@DY2}_ zq(HYfeOhUpI?%*5U1w05;ZiIPVvZ<@eE5DT7I4Tne9WIHaPK@Nqt!w#_TQ# zj^GZhNLtckYNczBFHeH-o{((>AX93|m{Z}06O%EoV+hf9NcJF*3clTRT7@}rr&wGC z0cJHiZe=0qgBnCA(70f)xCy5mCLF|gZfrh*t~^@Ex(zC#Bz&qi33t*hW3VhhXm&p& zyeJ>{b$RwU6jFP*u5!CG7SB}L{J7l#QG}lVAX0H)1*=F}l_jkby$ErX_#`dm%VD_R zUWZzRWo;dP7kl#|Q-V9Zjz)R$^Q_qkOf%LSoRl$a23`qH-3^3{v|*Ec(UiNEiNg8L(gN@j{6d0*^4^)XXCFP3Lr zy|DG4FOGk3>U3u38bl(c;KK$KdFt}&c!2>HCGQSjZ4cU+7nkFgr!eE}m7zFt6(?oy zJ$O9k!-SJWY>&Z$-tnC1rr{Dg`hjr#-4oI!aOEh7McdX*!y?MogtETt1I=aAf;vj9 zZrZgh$1D!V+&7{BzZ)TMZaQX3%Fhqw>HX091VV}j&u-Z7rV&QhwPixC3!dzOf4P(0 zbm9hMa_|tzOij*i+PlG+4#@LJefW;RhxoH=VqJEHfK7EO+-| z$d(4O%^@2y4cSy6)@a3UJO#)PShSw#^mEhLP$af699=ar+QYWufzG3S1oM>LKys@; z3v&&LmIsp8^ll`{KxD?C*V2J}Q)q*KTm%u6#onX+v_6vGic(OcRXDt9KckM3&U_KB zK0cmw+;kRFaij`t3#5wLFl{iU>_j<_hwam!YV0;99Jb$uXAzzn|I?)b9~3qCbg9R? z9xd}wZpPN~3oXPhePhoOP+bAmL`V<| zzXrS?fv4ADBzu-YUnl6b_=KsU3H5sPQg2crlVzyEcKfCz|y z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%) zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%) zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y x2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph`{v-{0s0h;imuq literal 0 HcmV?d00001 diff --git a/regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/d7a63acb-1284-49bc-bfea-7771146c8b1c.json b/regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/d7a63acb-1284-49bc-bfea-7771146c8b1c.json new file mode 100644 index 000000000..42cb2a602 --- /dev/null +++ b/regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/d7a63acb-1284-49bc-bfea-7771146c8b1c.json @@ -0,0 +1,59 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 7, + "Version": 3, + "Level": 4, + "Task": 7, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-01-12T07:51:17.415898Z" + } + }, + "EventRecordID": 91509, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4048, + "ThreadID": 4752 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-01-12 07:51:17.273", + "ProcessGuid": "0197231E-A7F4-6964-850A-000000000D00", + "ProcessId": 20204, + "Image": "C:\\Users\\xodih\\AppData\\Local\\Temp\\sqlwriter.exe", + "ImageLoaded": "C:\\Users\\xodih\\AppData\\Local\\Temp\\vcruntime140.dll", + "FileVersion": "-", + "Description": "-", + "Product": "-", + "Company": "-", + "OriginalFileName": "-", + "Hashes": "MD5=6349C0AF16BBD22B44BCBBE25C19D82D,SHA256=E7801D25E1A0AA8FFA929D76C31CC604BBB2404F7B8396F0BF3DE325E034E257,IMPHASH=376F17C483A08D322404D3C4A8F0A5CE", + "Signed": "false", + "Signature": "-", + "SignatureStatus": "Unavailable", + "User": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml b/regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml new file mode 100644 index 000000000..ebadbe39e --- /dev/null +++ b/regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml @@ -0,0 +1,13 @@ +id: ab5d5d49-1f76-4287-ae73-903ed8cca111 +description: N/A +date: 2026-01-12 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: d7a63acb-1284-49bc-bfea-7771146c8b1c + title: Potential Vcruntime140 DLL Sideloading +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/d7a63acb-1284-49bc-bfea-7771146c8b1c.evtx diff --git a/rules/windows/image_load/image_load_side_load_vcruntime140.yml b/rules/windows/image_load/image_load_side_load_vcruntime140.yml new file mode 100644 index 000000000..54cdb6ab2 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_vcruntime140.yml @@ -0,0 +1,39 @@ +title: Potential Vcruntime140 DLL Sideloading +id: d7a63acb-1284-49bc-bfea-7771146c8b1c +status: experimental +description: | + Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library. + Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc. + Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code. +references: + - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties + - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader + - https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/ +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2026-01-12 +tags: + - attack.defense-evasion + - attack.persistence + - attack.privilege-escalation + - attack.t1574.001 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\vcruntime140.dll' + filter_main_legitimate_path: + ImageLoaded|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + filter_main_legitimate_signer: + Signed: true + SignatureStatus: 'Valid' + Description: 'Microsoft® C Runtime Library' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: high +regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml