Techniques
Sample rules
Potential DLL Sideloading Of DBGHELP.DLL
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects DLL sideloading of “dbghelp.dll”
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
ImageLoaded|startswith:
- C:\Program Files (x86)\
- C:\Program Files\
- C:\Windows\SoftwareDistribution\
- C:\Windows\System32\
- C:\Windows\SystemTemp\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
filter_optional_anaconda:
ImageLoaded|endswith:
- \Anaconda3\Lib\site-packages\vtrace\platforms\windll\amd64\dbghelp.dll
- \Anaconda3\Lib\site-packages\vtrace\platforms\windll\i386\dbghelp.dll
filter_optional_epicgames:
ImageLoaded|endswith:
- \Epic Games\Launcher\Engine\Binaries\ThirdParty\DbgHelp\dbghelp.dll
- \Epic Games\MagicLegends\x86\dbghelp.dll
selection:
ImageLoaded|endswith: \dbghelp.dll
Potential DLL Sideloading Of DBGCORE.DLL
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects DLL sideloading of “dbgcore.dll”
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
ImageLoaded|startswith:
- C:\Program Files (x86)\
- C:\Program Files\
- C:\Windows\SoftwareDistribution\
- C:\Windows\System32\
- C:\Windows\SystemTemp\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
filter_optional_steam:
ImageLoaded|endswith: \Steam\bin\cef\cef.win7x64\dbgcore.dll
selection:
ImageLoaded|endswith: \dbgcore.dll