diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 9ba7d5d57..22c45a0a9 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -1,7 +1,7 @@ title: Potential System DLL Sideloading From Non System Locations id: 4fc0deee-0057-4998-ab31-d24e46e0aba4 status: experimental -description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...) +description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.) references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research) - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 -modified: 2023/05/05 +modified: 2023/05/16 tags: - attack.defense_evasion - attack.persistence @@ -462,6 +462,15 @@ detection: filter_optional_dell_wldp: Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' Image|endswith: '\wldp.dll' + filter_optional_checkpoint: + Image|startswith: + - 'C:\Program Files\CheckPoint\' + - 'C:\Program Files (x86)\CheckPoint\' + Image|endswith: '\SmartConsole.exe' + ImageLoaded|startswith: + - 'C:\Program Files\CheckPoint\' + - 'C:\Program Files (x86)\CheckPoint\' + ImageLoaded|endswith: '\PolicyManager.dll' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule