security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da07164ce0d651bf72691bac1cfcafbf20249de
blue-team-tools/rules/windows/image_load/image_load_side_load_antivirus.yml
T
Nasreddine Bencherchali cd863c75b9 Update image_load_side_load_antivirus.yml
2022-10-25 23:52:15 +02:00

64 lines
2.7 KiB
YAML
Raw Blame History

title: Antivirus Software DLL Sideloading
id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
status: experimental
description: Detects DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali, Wietze Beukema (project and research)
date: 2022/08/17
modified: 2022/10/25
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
# Bitdefender
selection_bitdefender:
ImageLoaded|endswith: '\log.dll'
filter_log_dll_bitdefender:
ImageLoaded|startswith:
- 'C:\Program Files\Bitdefender Antivirus Free\'
- 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
filter_log_dll_dell_sar:
Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
ImageLoaded:
- 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
- 'C:\Program Files\Dell\SARemediation\audit\log.dll'
filter_log_dll_canon:
ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
# F-Secure
selection_fsecure:
ImageLoaded|endswith: '\qrt.dll'
filter_fsecure:
ImageLoaded|startswith:
- 'C:\Program Files\F-Secure\Anti-Virus\'
- 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
# McAfee
selection_mcafee:
ImageLoaded|endswith:
- '\ashldres.dll'
- '\lockdown.dll'
- '\vsodscpl.dll'
filter_mcafee:
ImageLoaded|startswith:
- 'C:\Program Files\McAfee\'
- 'C:\Program Files (x86)\McAfee\'
# CyberArk
selection_cyberark:
ImageLoaded|endswith: '\vftrace.dll'
filter_cyberark:
ImageLoaded|startswith:
- 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
- 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
condition: (selection_bitdefender and not 1 of filter_log_dll_*) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee) or (selection_cyberark and not filter_cyberark)
falsepositives:
- Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
- Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
- The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
level: medium
Reference in New Issue View Git Blame Copy Permalink