legitimate bitdefender installations loading log.dll from program files are excluded. allowlist known paths as needed.

Techniques

T1574

Sample rules

Windows BitDefender Submission Wizard DLL Sideloading

source: splunk
technicques:
- T1574

Description

Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events.

Detection logic

`sysmon`
EventCode=7
(
    Image IN (
        "*\\BDSubmit.exe",
        "*\\bdsw.exe",
        "*\\BluetoothService.exe"
    )
    OR
    OriginalFileName IN (
        "BDSubmit.exe",
        "bdsw.exe"
    )
)
ImageLoaded="*\\log.dll"
NOT ImageLoaded IN (
    "*:\\Program Files (x86)\\*",
    "*:\\Program Files\\*",
    "*:\\Windows\\System32\\*",
    "*:\\Windows\\SysWOW64\\*"
)

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by dest Image ImageLoaded Signed SignatureStatus User OriginalFileName loaded_file
     loaded_file_path process_exec process_guid process_hash process_id process_name
     process_path service_dll_signature_exists service_dll_signature_verified signature
     signature_id user_id vendor_product

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_bitdefender_submission_wizard_dll_sideloading_filter`