Nasreddine Bencherchali
41 lines
1.7 KiB
YAML
41 lines
1.7 KiB
YAML
title: Potential Vcruntime140 DLL Sideloading
|
|
id: d7a63acb-1284-49bc-bfea-7771146c8b1c
|
|
status: experimental
|
|
description: |
|
|
Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
|
|
Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
|
|
Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
|
|
references:
|
|
- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
|
|
- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
|
|
- https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/
|
|
author: Swachchhanda Shrawan Poudel (Nextron Systems)
|
|
date: 2026-01-12
|
|
tags:
|
|
- attack.persistence
|
|
- attack.privilege-escalation
|
|
- attack.execution
|
|
- attack.stealth
|
|
- attack.t1574.001
|
|
logsource:
|
|
category: image_load
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
ImageLoaded|endswith: '\vcruntime140.dll'
|
|
filter_main_legitimate_path:
|
|
ImageLoaded|startswith:
|
|
- 'C:\Windows\System32\'
|
|
- 'C:\Windows\SysWOW64\'
|
|
- 'C:\Program Files\'
|
|
- 'C:\Program Files (x86)\'
|
|
filter_main_legitimate_signer:
|
|
Signed: true
|
|
SignatureStatus: 'Valid'
|
|
Description: 'Microsoft® C Runtime Library'
|
|
condition: selection and not 1 of filter_main_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|
|
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml
|