LoFP / false positives are expected if vlc is installed in non-default locations

Techniques

• t1574
• t1574.001
• t1574.002

Sample rules

Potential Libvlc.DLL Sideloading

• source: sigma
• technicques:
  • t1574
  • t1574.001
  • t1574.002

Description

Detects potential DLL sideloading of “libvlc.dll”, a DLL that is legitimately used by “VLC.exe”

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_vlc:
  ImageLoaded|startswith:
  - C:\Program Files (x86)\VideoLAN\VLC\
  - C:\Program Files\VideoLAN\VLC\
selection:
  ImageLoaded|endswith: \libvlc.dll