LoFP LoFP / legitimate applications loading their own versions of the dlls mentioned in this rule

Techniques

Sample rules

Potential System DLL Sideloading From Non System Locations

Description

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_defender:
  ImageLoaded|endswith: \version.dll
  ImageLoaded|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\
filter_main_directx:
  ImageLoaded|endswith: \d3dx9_43.dll
  ImageLoaded|startswith: C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_
filter_main_dot_net:
  ImageLoaded|endswith: \cscui.dll
  ImageLoaded|startswith: C:\Windows\Microsoft.NET\
filter_main_generic:
  ImageLoaded|contains:
  - C:\$WINDOWS.~BT\
  - C:\$WinREAgent\
  - C:\Windows\SoftwareDistribution\
  - C:\Windows\System32\
  - C:\Windows\SystemTemp\
  - C:\Windows\SysWOW64\
  - C:\Windows\WinSxS\
filter_optional_arsenal_image_mounter:
  ImageLoaded|endswith:
  - \mi.dll
  - \miutils.dl
  ImageLoaded|startswith: C:\Program Files\Arsenal-Image-Mounter-
filter_optional_azure:
  ImageLoaded|startswith: C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
filter_optional_checkpoint:
  ImageLoaded|endswith: \PolicyManager.dll
  ImageLoaded|startswith:
  - C:\Program Files\CheckPoint\
  - C:\Program Files (x86)\CheckPoint\
  Image|endswith: \SmartConsole.exe
  Image|startswith:
  - C:\Program Files\CheckPoint\
  - C:\Program Files (x86)\CheckPoint\
filter_optional_dell:
  ImageLoaded|startswith: C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs
  Image|contains:
  - C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs
  - C:\Windows\System32\backgroundTaskHost.exe
filter_optional_dell_wldp:
  Image|endswith: \wldp.dll
  Image|startswith: C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs
filter_optional_exchange:
  ImageLoaded|endswith: \mswb7.dll
  ImageLoaded|startswith: C:\Program Files\Microsoft\Exchange Server\
filter_optional_office_appvpolicy:
  Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
  ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll
selection:
  ImageLoaded|endswith:
  - \aclui.dll
  - \activeds.dll
  - \adsldpc.dll
  - \aepic.dll
  - \apphelp.dll
  - \applicationframe.dll
  - \appvpolicy.dll
  - \appxalluserstore.dll
  - \appxdeploymentclient.dll
  - \archiveint.dll
  - \atl.dll
  - \audioses.dll
  - \auditpolcore.dll
  - \authfwcfg.dll
  - \authz.dll
  - \avrt.dll
  - \batmeter.dll
  - \bcd.dll
  - \bcp47langs.dll
  - \bcp47mrm.dll
  - \bcrypt.dll
  - \bderepair.dll
  - \bootmenuux.dll
  - \bootux.dll
  - \cabinet.dll
  - \cabview.dll
  - \certcli.dll
  - \certenroll.dll
  - \cfgmgr32.dll
  - \cldapi.dll
  - \clipc.dll
  - \clusapi.dll
  - \cmpbk32.dll
  - \cmutil.dll
  - \coloradapterclient.dll
  - \colorui.dll
  - \comdlg32.dll
  - \configmanager2.dll
  - \connect.dll
  - \coredplus.dll
  - \coremessaging.dll
  - \coreuicomponents.dll
  - \credui.dll
  - \cryptbase.dll
  - \cryptdll.dll
  - \cryptsp.dll
  - \cryptui.dll
  - \cryptxml.dll
  - \cscapi.dll
  - \cscobj.dll
  - \cscui.dll
  - \d2d1.dll
  - \d3d10_1.dll
  - \d3d10_1core.dll
  - \d3d10.dll
  - \d3d10core.dll
  - \d3d10warp.dll
  - \d3d11.dll
  - \d3d12.dll
  - \d3d9.dll
  - \d3dx9_43.dll
  - \dataexchange.dll
  - \davclnt.dll
  - \dcntel.dll
  - \dcomp.dll
  - \defragproxy.dll
  - \desktopshellext.dll
  - \deviceassociation.dll
  - \devicecredential.dll
  - \devicepairing.dll
  - \devobj.dll
  - \devrtl.dll
  - \dhcpcmonitor.dll
  - \dhcpcsvc.dll
  - \dhcpcsvc6.dll
  - \directmanipulation.dll
  - \dismapi.dll
  - \dismcore.dll
  - \dmcfgutils.dll
  - \dmcmnutils.dll
  - \dmcommandlineutils.dll
  - \dmenrollengine.dll
  - \dmenterprisediagnostics.dll
  - \dmiso8601utils.dll
  - \dmoleaututils.dll
  - \dmprocessxmlfiltered.dll
  - \dmpushproxy.dll
  - \dmxmlhelputils.dll
  - \dnsapi.dll
  - \dot3api.dll
  - \dot3cfg.dll
  - \dpx.dll
  - \drprov.dll
  - \drvstore.dll
  - \dsclient.dll
  - \dsparse.dll
  - \dsprop.dll
  - \dsreg.dll
  - \dsrole.dll
  - \dui70.dll
  - \duser.dll
  - \dusmapi.dll
  - \dwmapi.dll
  - \dwmcore.dll
  - \dwrite.dll
  - \dxcore.dll
  - \dxgi.dll
  - \dxva2.dll
  - \dynamoapi.dll
  - \eappcfg.dll
  - \eappprxy.dll
  - \edgeiso.dll
  - \edputil.dll
  - \efsadu.dll
  - \efsutil.dll
  - \esent.dll
  - \execmodelproxy.dll
  - \explorerframe.dll
  - \fastprox.dll
  - \faultrep.dll
  - \fddevquery.dll
  - \feclient.dll
  - \fhcfg.dll
  - \fhsvcctl.dll
  - \firewallapi.dll
  - \flightsettings.dll
  - \fltlib.dll
  - \framedynos.dll
  - \fveapi.dll
  - \fveskybackup.dll
  - \fvewiz.dll
  - \fwbase.dll
  - \fwcfg.dll
  - \fwpolicyiomgr.dll
  - \fwpuclnt.dll
  - \fxsapi.dll
  - \fxsst.dll
  - \fxstiff.dll
  - \getuname.dll
  - \gpapi.dll
  - \hid.dll
  - \hnetmon.dll
  - \httpapi.dll
  - \icmp.dll
  - \idstore.dll
  - \ieadvpack.dll
  - \iedkcs32.dll
  - \iernonce.dll
  - \iertutil.dll
  - \ifmon.dll
  - \ifsutil.dll
  - \inproclogger.dll
  - \iphlpapi.dll
  - \iri.dll
  - \iscsidsc.dll
  - \iscsium.dll
  - \isv.exe_rsaenh.dll
  - \iumbase.dll
  - \iumsdk.dll
  - \joinutil.dll
  - \kdstub.dll
  - \ksuser.dll
  - \ktmw32.dll
  - \licensemanagerapi.dll
  - \licensingdiagspp.dll
  - \linkinfo.dll
  - \loadperf.dll
  - \lockhostingframework.dll
  - \logoncli.dll
  - \logoncontroller.dll
  - \lpksetupproxyserv.dll
  - \lrwizdll.dll
  - \magnification.dll
  - \maintenanceui.dll
  - \mapistub.dll
  - \mbaexmlparser.dll
  - \mdmdiagnostics.dll
  - \mfc42u.dll
  - \mfcore.dll
  - \mfplat.dll
  - \mi.dll
  - \midimap.dll
  - \mintdh.dll
  - \miutils.dll
  - \mlang.dll
  - \mmdevapi.dll
  - \mobilenetworking.dll
  - \mpr.dll
  - \mprapi.dll
  - \mrmcorer.dll
  - \msacm32.dll
  - \mscms.dll
  - \mscoree.dll
  - \msctf.dll
  - \msctfmonitor.dll
  - \msdrm.dll
  - \msdtctm.dll
  - \msftedit.dll
  - \msi.dll
  - \msiso.dll
  - \msutb.dll
  - \msvcp110_win.dll
  - \mswb7.dll
  - \mswsock.dll
  - \msxml3.dll
  - \mtxclu.dll
  - \napinsp.dll
  - \ncrypt.dll
  - \ndfapi.dll
  - \netapi32.dll
  - \netid.dll
  - \netiohlp.dll
  - \netjoin.dll
  - \netplwiz.dll
  - \netprofm.dll
  - \netprovfw.dll
  - \netsetupapi.dll
  - \netshell.dll
  - \nettrace.dll
  - \netutils.dll
  - \networkexplorer.dll
  - \newdev.dll
  - \ninput.dll
  - \nlaapi.dll
  - \nlansp_c.dll
  - \npmproxy.dll
  - \nshhttp.dll
  - \nshipsec.dll
  - \nshwfp.dll
  - \ntdsapi.dll
  - \ntlanman.dll
  - \ntlmshared.dll
  - \ntmarta.dll
  - \ntshrui.dll
  - \oleacc.dll
  - \omadmapi.dll
  - \onex.dll
  - \opcservices.dll
  - \osbaseln.dll
  - \osksupport.dll
  - \osuninst.dll
  - \p2p.dll
  - \p2pnetsh.dll
  - \p9np.dll
  - \pcaui.dll
  - \pdh.dll
  - \peerdistsh.dll
  - \pkeyhelper.dll
  - \pla.dll
  - \playsndsrv.dll
  - \pnrpnsp.dll
  - \policymanager.dll
  - \polstore.dll
  - \powrprof.dll
  - \printui.dll
  - \prntvpt.dll
  - \profapi.dll
  - \propsys.dll
  - \proximitycommon.dll
  - \proximityservicepal.dll
  - \prvdmofcomp.dll
  - \puiapi.dll
  - \radcui.dll
  - \rasapi32.dll
  - \rasdlg.dll
  - \rasgcw.dll
  - \rasman.dll
  - \rasmontr.dll
  - \reagent.dll
  - \regapi.dll
  - \reseteng.dll
  - \resetengine.dll
  - \resutils.dll
  - \rmclient.dll
  - \rpcnsh.dll
  - \rsaenh.dll
  - \rtutils.dll
  - \rtworkq.dll
  - \samcli.dll
  - \samlib.dll
  - \sapi_onecore.dll
  - \sas.dll
  - \scansetting.dll
  - \scecli.dll
  - \schedcli.dll
  - \secur32.dll
  - \security.dll
  - \sensapi.dll
  - \shell32.dll
  - \shfolder.dll
  - \slc.dll
  - \snmpapi.dll
  - \spectrumsyncclient.dll
  - \spp.dll
  - \sppc.dll
  - \sppcext.dll
  - \srclient.dll
  - \srcore.dll
  - \srmtrace.dll
  - \srpapi.dll
  - \srvcli.dll
  - \ssp_isv.exe_rsaenh.dll
  - \ssp.exe_rsaenh.dll
  - \sspicli.dll
  - \ssshim.dll
  - \staterepository.core.dll
  - \structuredquery.dll
  - \sxshared.dll
  - \systemsettingsthresholdadminflowui.dll
  - \tapi32.dll
  - \tbs.dll
  - \tdh.dll
  - \textshaping.dll
  - \timesync.dll
  - \tpmcoreprovisioning.dll
  - \tquery.dll
  - \tsworkspace.dll
  - \ttdrecord.dll
  - \twext.dll
  - \twinapi.dll
  - \twinui.appcore.dll
  - \uianimation.dll
  - \uiautomationcore.dll
  - \uireng.dll
  - \uiribbon.dll
  - \umpdc.dll
  - \unattend.dll
  - \updatepolicy.dll
  - \upshared.dll
  - \urlmon.dll
  - \userenv.dll
  - \utildll.dll
  - \uxinit.dll
  - \uxtheme.dll
  - \vaultcli.dll
  - \vdsutil.dll
  - \version.dll
  - \virtdisk.dll
  - \vssapi.dll
  - \vsstrace.dll
  - \wbemprox.dll
  - \wbemsvc.dll
  - \wcmapi.dll
  - \wcnnetsh.dll
  - \wdi.dll
  - \wdscore.dll
  - \webservices.dll
  - \wecapi.dll
  - \wer.dll
  - \wevtapi.dll
  - \whhelper.dll
  - \wimgapi.dll
  - \winbio.dll
  - \winbrand.dll
  - \windows.storage.dll
  - \windows.storage.search.dll
  - \windows.ui.immersive.dll
  - \windowscodecs.dll
  - \windowscodecsext.dll
  - \windowsudk.shellcommon.dll
  - \winhttp.dll
  - \wininet.dll
  - \winipsec.dll
  - \winmde.dll
  - \winmm.dll
  - \winnsi.dll
  - \winrnr.dll
  - \winscard.dll
  - \winsqlite3.dll
  - \winsta.dll
  - \winsync.dll
  - \wkscli.dll
  - \wlanapi.dll
  - \wlancfg.dll
  - \wldp.dll
  - \wlidprov.dll
  - \wmiclnt.dll
  - \wmidcom.dll
  - \wmiutils.dll
  - \wmpdui.dll
  - \wmsgapi.dll
  - \wofutil.dll
  - \wpdshext.dll
  - \wscapi.dll
  - \wsdapi.dll
  - \wshbth.dll
  - \wshelper.dll
  - \wsmsvc.dll
  - \wtsapi32.dll
  - \wwancfg.dll
  - \wwapi.dll
  - \xmllite.dll
  - \xolehlp.dll
  - \xpsservices.dll
  - \xwizards.dll
  - \xwtpw32.dll
  - \amsi.dll
  - \appraiser.dll
  - \COMRES.DLL
  - \cryptnet.dll
  - \DispBroker.dll
  - \dsound.dll
  - \dxilconv.dll
  - \FxsCompose.dll
  - \FXSRESM.DLL
  - \msdtcVSp1res.dll
  - \PrintIsolationProxy.dll
  - \rdpendp.dll
  - \rpchttp.dll
  - \storageusage.dll
  - \utcutil.dll
  - \WfsR.dll
  - \igd10iumd64.dll
  - \igd12umd64.dll
  - \igdumdim64.dll
  - \igdusc64.dll
  - \TSMSISrv.dll
  - \TSVIPSrv.dll
  - \wbemcomn.dll
  - \WLBSCTRL.dll
  - \wow64log.dll
  - \WptsExtensions.dll