LoFP / fp could occur if the legitimate version of vmguestlib already exists on the system

Techniques

Sample rules

VMGuestLib DLL Sideload

source: sigma
technicques:
- t1574
- t1574.001
- t1574.002

Description

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

Detection logic

condition: selection and not filter
filter:
  Signed: 'true'
selection:
  ImageLoaded|contains|all:
  - \VMware\VMware Tools\vmStatsProvider\win32
  - \vmGuestLib.dll
  Image|endswith: \Windows\System32\wbem\WmiApSrv.exe