LoFP / if installed on a per-user level, the path would be located in \"appdata\local\". add additional filters to reflect this mode of installation

Techniques

Sample rules

Potential RoboForm.DLL Sideloading

source: sigma
technicques:
- t1574
- t1574.001
- t1574.002

Description

Detects potential DLL sideloading of “roboform.dll”, a DLL used by RoboForm Password Manager

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_path:
  Image|endswith:
  - \robotaskbaricon.exe
  - \robotaskbaricon-x64.exe
  Image|startswith:
  - ' C:\Program Files (x86)\Siber Systems\AI RoboForm\'
  - ' C:\Program Files\Siber Systems\AI RoboForm\'
selection:
  ImageLoaded|endswith:
  - \roboform.dll
  - \roboform-x64.dll