legitimate applications loading their own versions of the dll mentioned in this rule.

Sample rules

Potential DLL Sideloading Of MpSvc.DLL

source: sigma
technicques:
- t1574
- t1574.002

Description

Detects potential DLL sideloading of “MpSvc.dll”.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_generic:
  ImageLoaded|startswith:
  - C:\Program Files\Windows Defender\
  - C:\ProgramData\Microsoft\Windows Defender\Platform\
  - C:\Windows\WinSxS\
selection:
  ImageLoaded|endswith: \MpSvc.dll

Potential DLL Sideloading Of MsCorSvc.DLL

source: sigma
technicques:
- t1574
- t1574.002

Description

Detects potential DLL sideloading of “mscorsvc.dll”.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_generic:
  ImageLoaded|startswith:
  - C:\Windows\Microsoft.NET\Framework\
  - C:\Windows\Microsoft.NET\Framework64\
  - C:\Windows\WinSxS\
selection:
  ImageLoaded|endswith: \mscorsvc.dll

Potential DLL Sideloading Of DbgModel.DLL

source: sigma
technicques:
- t1574
- t1574.002

Description

Detects potential DLL sideloading of “DbgModel.dll”

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  ImageLoaded|startswith:
  - C:\Windows\System32\
  - C:\Windows\SysWOW64\
  - C:\Windows\WinSxS\
filter_optional_windbg:
  ImageLoaded|startswith: C:\Program Files\WindowsApps\Microsoft.WinDbg_
filter_optional_windows_kits:
  ImageLoaded|startswith:
  - C:\Program Files (x86)\Windows Kits\
  - C:\Program Files\Windows Kits\
selection:
  ImageLoaded|endswith: \dbgmodel.dll

Potential DLL Sideloading Of DBGHELP.DLL

source: sigma
technicques:
- t1574
- t1574.001
- t1574.002

Description

Detects potential DLL sideloading of “dbghelp.dll”

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  ImageLoaded|startswith:
  - C:\Program Files (x86)\
  - C:\Program Files\
  - C:\Windows\SoftwareDistribution\
  - C:\Windows\System32\
  - C:\Windows\SystemTemp\
  - C:\Windows\SysWOW64\
  - C:\Windows\WinSxS\
filter_optional_anaconda:
  ImageLoaded|endswith:
  - \Anaconda3\Lib\site-packages\vtrace\platforms\windll\amd64\dbghelp.dll
  - \Anaconda3\Lib\site-packages\vtrace\platforms\windll\i386\dbghelp.dll
filter_optional_epicgames:
  ImageLoaded|endswith:
  - \Epic Games\Launcher\Engine\Binaries\ThirdParty\DbgHelp\dbghelp.dll
  - \Epic Games\MagicLegends\x86\dbghelp.dll
selection:
  ImageLoaded|endswith: \dbghelp.dll

Potential DLL Sideloading Of DBGCORE.DLL

source: sigma
technicques:
- t1574
- t1574.001
- t1574.002

Description

Detects DLL sideloading of “dbgcore.dll”

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  ImageLoaded|startswith:
  - C:\Program Files (x86)\
  - C:\Program Files\
  - C:\Windows\SoftwareDistribution\
  - C:\Windows\System32\
  - C:\Windows\SystemTemp\
  - C:\Windows\SysWOW64\
  - C:\Windows\WinSxS\
filter_optional_steam:
  ImageLoaded|endswith: \Steam\bin\cef\cef.win7x64\dbgcore.dll
selection:
  ImageLoaded|endswith: \dbgcore.dll