Merge PR #4906 from @fornotes - Update and add new dll sideloading rules

update: Potential System DLL Sideloading From Non System Locations - Add new entries to increase coverage new: Potential DLL Sideloading Of DbgModel.DLL new: Potential DLL Sideloading Of MpSvc.DLL new: Potential DLL Sideloading Of MsCorSvc.DLL --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
SigmaHQ · Jul 11, 2024 · d4cb9fd · d4cb9fd
1 parent c2915a6
commit d4cb9fd
Show file tree

Hide file tree

Showing 6 changed files with 206 additions and 113 deletions.
diff --git a/...load/image_load_side_load_dbgcore_dll.yml → ...age_load/image_load_side_load_dbgcore.yml b/...load/image_load_side_load_dbgcore_dll.yml → ...age_load/image_load_side_load_dbgcore.yml
diff --git a/...load/image_load_side_load_dbghelp_dll.yml → ...age_load/image_load_side_load_dbghelp.yml b/...load/image_load_side_load_dbghelp_dll.yml → ...age_load/image_load_side_load_dbghelp.yml
@@ -1,7 +1,7 @@
 title: Potential DLL Sideloading Of DBGHELP.DLL
 id: 6414b5cd-b19d-447e-bb5e-9f03940b5784
 status: test
-description: Detects DLL sideloading of "dbghelp.dll"
+description: Detects potential DLL sideloading of "dbghelp.dll"
 references:
     - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
 author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)

diff --git a/rules/windows/image_load/image_load_side_load_dbgmodel.yml b/rules/windows/image_load/image_load_side_load_dbgmodel.yml
@@ -0,0 +1,32 @@
+title: Potential DLL Sideloading Of DbgModel.DLL
+id: fef394cd-f44d-4040-9b18-95d92fe278c0
+status: experimental
+description: Detects potential DLL sideloading of "DbgModel.dll"
+references:
+    - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html
+author: Gary Lobermier
+date: 2024/07/11
+tags:
+    - attack.defense_evasion
+    - attack.t1574.002
+logsource:
+    product: windows
+    category: image_load
+detection:
+    selection:
+        ImageLoaded|endswith: '\dbgmodel.dll'
+    filter_main_generic:
+        ImageLoaded|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\WinSxS\'
+    filter_main_optional_windbg:
+        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.WinDbg_'
+    filter_main_optional_windows_kits:
+        ImageLoaded|startswith:
+            - 'C:\Program Files (x86)\Windows Kits\'
+            - 'C:\Program Files\Windows Kits\'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Legitimate applications loading their own versions of the DLL mentioned in this rule
+level: medium