Potential Antivirus Software DLL Sideloading
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "sa_imageloaded" AND (OBJECTNAME endswith "\log.dll" AND (OBJECTNAME notstartswith "C:\Program Files\Bitdefender Antivirus Free\,C:\Program Files (x86)\Bitdefender Antivirus Free" AND (PROCESSNAME != "C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe" OR OBJECTNAME != "C:\Program Files\Dell\SARemediation\plugin\log.dll,C:\Program Files\Dell\SARemediation\audit\log.dll") AND OBJECTNAME notstartswith "C:\Program Files\Canon\MyPrinter")) OR (OBJECTNAME endswith "\qrt.dll" AND OBJECTNAME notstartswith "C:\Program Files\F-Secure\Anti-Virus\,C:\Program Files (x86)\F-Secure\Anti-Virus") OR (OBJECTNAME endswith "\ashldres.dll,\lockdown.dll,\vsodscpl.dll" AND OBJECTNAME notstartswith "C:\Program Files\McAfee\,C:\Program Files (x86)\McAfee") OR (OBJECTNAME endswith "\vftrace.dll" AND OBJECTNAME notstartswith "C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\,C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32") OR (OBJECTNAME endswith "\wsc.dll" AND OBJECTNAME notstartswith "C:\program Files\AVAST Software\Avast\,C:\program Files (x86)\AVAST Software\Avast") OR (OBJECTNAME endswith "\tmdbglog.dll" AND OBJECTNAME notstartswith "C:\program Files\Trend Micro\Titanium\,C:\program Files (x86)\Trend Micro\Titanium") OR (OBJECTNAME endswith "\DLPPREM32.dll" AND OBJECTNAME notstartswith "C:\program Files\ESET,C:\program Files (x86)\ESET") select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.PRODUCT_NAME,Action1.OBJECTNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
