Techniques
Sample rules
Potential Wazuh Security Platform DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
ImageLoaded|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
filter_optional_mingw64:
ImageLoaded|contains:
- \AppData\Local\
- \ProgramData\
ImageLoaded|endswith: \mingw64\bin\libwinpthread-1.dll
selection:
ImageLoaded|endswith:
- \libwazuhshared.dll
- \libwinpthread-1.dll