← Back to Explore
sigmahighHunting
Potential System DLL Sideloading From Non System Locations
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
Detection Query
selection:
ImageLoaded|endswith:
- \aclui.dll
- \activeds.dll
- \adsldpc.dll
- \aepic.dll
- \apphelp.dll
- \applicationframe.dll
- \appvpolicy.dll
- \appxalluserstore.dll
- \appxdeploymentclient.dll
- \archiveint.dll
- \atl.dll
- \audioses.dll
- \auditpolcore.dll
- \authfwcfg.dll
- \authz.dll
- \avrt.dll
- \batmeter.dll
- \bcd.dll
- \bcp47langs.dll
- \bcp47mrm.dll
- \bcrypt.dll
- \bderepair.dll
- \bootmenuux.dll
- \bootux.dll
- \cabinet.dll
- \cabview.dll
- \certcli.dll
- \certenroll.dll
- \cfgmgr32.dll
- \cldapi.dll
- \clipc.dll
- \clusapi.dll
- \cmpbk32.dll
- \cmutil.dll
- \coloradapterclient.dll
- \colorui.dll
- \comdlg32.dll
- \configmanager2.dll
- \connect.dll
- \coredplus.dll
- \coremessaging.dll
- \coreuicomponents.dll
- \credui.dll
- \cryptbase.dll
- \cryptdll.dll
- \cryptsp.dll
- \cryptui.dll
- \cryptxml.dll
- \cscapi.dll
- \cscobj.dll
- \cscui.dll
- \d2d1.dll
- \d3d10_1.dll
- \d3d10_1core.dll
- \d3d10.dll
- \d3d10core.dll
- \d3d10warp.dll
- \d3d11.dll
- \d3d12.dll
- \d3d9.dll
- \d3dx9_43.dll
- \dataexchange.dll
- \davclnt.dll
- \dcntel.dll
- \dcomp.dll
- \defragproxy.dll
- \desktopshellext.dll
- \deviceassociation.dll
- \devicecredential.dll
- \devicepairing.dll
- \devobj.dll
- \devrtl.dll
- \dhcpcmonitor.dll
- \dhcpcsvc.dll
- \dhcpcsvc6.dll
- \directmanipulation.dll
- \dismapi.dll
- \dismcore.dll
- \dmcfgutils.dll
- \dmcmnutils.dll
- \dmcommandlineutils.dll
- \dmenrollengine.dll
- \dmenterprisediagnostics.dll
- \dmiso8601utils.dll
- \dmoleaututils.dll
- \dmprocessxmlfiltered.dll
- \dmpushproxy.dll
- \dmxmlhelputils.dll
- \dnsapi.dll
- \dot3api.dll
- \dot3cfg.dll
- \dpx.dll
- \drprov.dll
- \drvstore.dll
- \dsclient.dll
- \dsparse.dll
- \dsprop.dll
- \dsreg.dll
- \dsrole.dll
- \dui70.dll
- \duser.dll
- \dusmapi.dll
- \dwmapi.dll
- \dwmcore.dll
- \dwrite.dll
- \dxcore.dll
- \dxgi.dll
- \dxva2.dll
- \dynamoapi.dll
- \eappcfg.dll
- \eappprxy.dll
- \edgeiso.dll
- \edputil.dll
- \efsadu.dll
- \efsutil.dll
- \esent.dll
- \execmodelproxy.dll
- \explorerframe.dll
- \fastprox.dll
- \faultrep.dll
- \fddevquery.dll
- \feclient.dll
- \fhcfg.dll
- \fhsvcctl.dll
- \firewallapi.dll
- \flightsettings.dll
- \fltlib.dll
- \framedynos.dll
- \fveapi.dll
- \fveskybackup.dll
- \fvewiz.dll
- \fwbase.dll
- \fwcfg.dll
- \fwpolicyiomgr.dll
- \fwpuclnt.dll
- \fxsapi.dll
- \fxsst.dll
- \fxstiff.dll
- \getuname.dll
- \gpapi.dll
- \hid.dll
- \hnetmon.dll
- \httpapi.dll
- \icmp.dll
- \idstore.dll
- \ieadvpack.dll
- \iedkcs32.dll
- \iernonce.dll
- \iertutil.dll
- \ifmon.dll
- \ifsutil.dll
- \inproclogger.dll
- \iphlpapi.dll
- \iri.dll
- \iscsidsc.dll
- \iscsium.dll
- \isv.exe_rsaenh.dll
- \iumbase.dll
- \iumsdk.dll
- \joinutil.dll
- \kdstub.dll
- \ksuser.dll
- \ktmw32.dll
- \licensemanagerapi.dll
- \licensingdiagspp.dll
- \linkinfo.dll
- \loadperf.dll
- \lockhostingframework.dll
- \logoncli.dll
- \logoncontroller.dll
- \lpksetupproxyserv.dll
- \lrwizdll.dll
- \magnification.dll
- \maintenanceui.dll
- \mapistub.dll
- \mbaexmlparser.dll
- \mdmdiagnostics.dll
- \mfc42u.dll
- \mfcore.dll
- \mfplat.dll
- \mi.dll
- \midimap.dll
- \mintdh.dll
- \miutils.dll
- \mlang.dll
- \mmdevapi.dll
- \mobilenetworking.dll
- \mpr.dll
- \mprapi.dll
- \mrmcorer.dll
- \msacm32.dll
- \mscms.dll
- \mscoree.dll
- \msctf.dll
- \msctfmonitor.dll
- \msdrm.dll
- \msdtctm.dll
- \msftedit.dll
- \msi.dll
- \msiso.dll
- \msutb.dll
- \msvcp110_win.dll
- \mswb7.dll
- \mswsock.dll
- \msxml3.dll
- \mtxclu.dll
- \napinsp.dll
- \ncrypt.dll
- \ndfapi.dll
- \netapi32.dll
- \netid.dll
- \netiohlp.dll
- \netjoin.dll
- \netplwiz.dll
- \netprofm.dll
- \netprovfw.dll
- \netsetupapi.dll
- \netshell.dll
- \nettrace.dll
- \netutils.dll
- \networkexplorer.dll
- \newdev.dll
- \ninput.dll
- \nlaapi.dll
- \nlansp_c.dll
- \npmproxy.dll
- \nshhttp.dll
- \nshipsec.dll
- \nshwfp.dll
- \ntdsapi.dll
- \ntlanman.dll
- \ntlmshared.dll
- \ntmarta.dll
- \ntshrui.dll
- \oleacc.dll
- \omadmapi.dll
- \onex.dll
- \opcservices.dll
- \osbaseln.dll
- \osksupport.dll
- \osuninst.dll
- \p2p.dll
- \p2pnetsh.dll
- \p9np.dll
- \pcaui.dll
- \pdh.dll
- \peerdistsh.dll
- \pkeyhelper.dll
- \pla.dll
- \playsndsrv.dll
- \pnrpnsp.dll
- \policymanager.dll
- \polstore.dll
- \powrprof.dll
- \printui.dll
- \prntvpt.dll
- \profapi.dll
- \propsys.dll
- \proximitycommon.dll
- \proximityservicepal.dll
- \prvdmofcomp.dll
- \puiapi.dll
- \radcui.dll
- \rasapi32.dll
- \rasdlg.dll
- \rasgcw.dll
- \rasman.dll
- \rasmontr.dll
- \reagent.dll
- \regapi.dll
- \reseteng.dll
- \resetengine.dll
- \resutils.dll
- \rmclient.dll
- \rpcnsh.dll
- \rsaenh.dll
- \rtutils.dll
- \rtworkq.dll
- \samcli.dll
- \samlib.dll
- \sapi_onecore.dll
- \sas.dll
- \scansetting.dll
- \scecli.dll
- \schedcli.dll
- \secur32.dll
- \security.dll
- \sensapi.dll
- \shell32.dll
- \shfolder.dll
- \slc.dll
- \snmpapi.dll
- \spectrumsyncclient.dll
- \spp.dll
- \sppc.dll
- \sppcext.dll
- \srclient.dll
- \srcore.dll
- \srmtrace.dll
- \srpapi.dll
- \srvcli.dll
- \ssp_isv.exe_rsaenh.dll
- \ssp.exe_rsaenh.dll
- \sspicli.dll
- \ssshim.dll
- \staterepository.core.dll
- \structuredquery.dll
- \sxshared.dll
- \systemsettingsthresholdadminflowui.dll
- \tapi32.dll
- \tbs.dll
- \tdh.dll
- \textshaping.dll
- \timesync.dll
- \tpmcoreprovisioning.dll
- \tquery.dll
- \tsworkspace.dll
- \ttdrecord.dll
- \twext.dll
- \twinapi.dll
- \twinui.appcore.dll
- \uianimation.dll
- \uiautomationcore.dll
- \uireng.dll
- \uiribbon.dll
- \umpdc.dll
- \unattend.dll
- \updatepolicy.dll
- \upshared.dll
- \urlmon.dll
- \userenv.dll
- \utildll.dll
- \uxinit.dll
- \uxtheme.dll
- \vaultcli.dll
- \vdsutil.dll
- \version.dll
- \virtdisk.dll
- \vssapi.dll
- \vsstrace.dll
- \wbemprox.dll
- \wbemsvc.dll
- \wcmapi.dll
- \wcnnetsh.dll
- \wdi.dll
- \wdscore.dll
- \webservices.dll
- \wecapi.dll
- \wer.dll
- \wevtapi.dll
- \whhelper.dll
- \wimgapi.dll
- \winbio.dll
- \winbrand.dll
- \windows.storage.dll
- \windows.storage.search.dll
- \windows.ui.immersive.dll
- \windowscodecs.dll
- \windowscodecsext.dll
- \windowsudk.shellcommon.dll
- \winhttp.dll
- \wininet.dll
- \winipsec.dll
- \winmde.dll
- \winmm.dll
- \winnsi.dll
- \winrnr.dll
- \winscard.dll
- \winsqlite3.dll
- \winsta.dll
- \winsync.dll
- \wkscli.dll
- \wlanapi.dll
- \wlancfg.dll
- \wldp.dll
- \wlidprov.dll
- \wmiclnt.dll
- \wmidcom.dll
- \wmiutils.dll
- \wmpdui.dll
- \wmsgapi.dll
- \wofutil.dll
- \wpdshext.dll
- \wscapi.dll
- \wsdapi.dll
- \wshbth.dll
- \wshelper.dll
- \wsmsvc.dll
- \wtsapi32.dll
- \wwancfg.dll
- \wwapi.dll
- \xmllite.dll
- \xolehlp.dll
- \xpsservices.dll
- \xwizards.dll
- \xwtpw32.dll
- \amsi.dll
- \appraiser.dll
- \COMRES.DLL
- \cryptnet.dll
- \DispBroker.dll
- \dsound.dll
- \dxilconv.dll
- \FxsCompose.dll
- \FXSRESM.DLL
- \msdtcVSp1res.dll
- \PrintIsolationProxy.dll
- \rdpendp.dll
- \rpchttp.dll
- \storageusage.dll
- \utcutil.dll
- \WfsR.dll
- \igd10iumd64.dll
- \igd12umd64.dll
- \igdumdim64.dll
- \igdusc64.dll
- \TSMSISrv.dll
- \TSVIPSrv.dll
- \wbemcomn.dll
- \WLBSCTRL.dll
- \wow64log.dll
- \WptsExtensions.dll
filter_main_generic:
ImageLoaded|contains:
- C:\$WINDOWS.~BT\
- C:\$WinREAgent\
- C:\Windows\SoftwareDistribution\
- C:\Windows\System32\
- C:\Windows\SystemTemp\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
- C:\Windows\SyChpe32\
filter_main_windows_temp:
ImageLoaded|startswith: C:\Windows\Temp\
Image|startswith:
- C:\Windows\WinSxS\arm64
- C:\Windows\UUS\arm64\
Image|endswith:
- \TiWorker.exe
- \wuaucltcore.exe
filter_main_dot_net:
ImageLoaded|startswith: C:\Windows\Microsoft.NET\
ImageLoaded|endswith: \cscui.dll
filter_main_defender:
ImageLoaded|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\
ImageLoaded|endswith: \version.dll
filter_main_directx:
ImageLoaded|startswith: C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_
ImageLoaded|endswith: \d3dx9_43.dll
filter_optional_exchange:
ImageLoaded|startswith: C:\Program Files\Microsoft\Exchange Server\
ImageLoaded|endswith: \mswb7.dll
filter_optional_arsenal_image_mounter:
ImageLoaded|startswith: C:\Program Files\Arsenal-Image-Mounter-
ImageLoaded|endswith:
- \mi.dll
- \miutils.dl
filter_optional_office_appvpolicy:
Image: C:\Program Files\Common Files\microsoft
shared\ClickToRun\OfficeClickToRun.exe
ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll
filter_optional_azure:
ImageLoaded|startswith: C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
filter_optional_dell:
Image|contains:
- C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs
- C:\Windows\System32\backgroundTaskHost.exe
ImageLoaded|startswith: C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs
filter_optional_dell_wldp:
Image|startswith: C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs
Image|endswith: \wldp.dll
filter_optional_checkpoint:
Image|startswith:
- C:\Program Files\CheckPoint\
- C:\Program Files (x86)\CheckPoint\
Image|endswith: \SmartConsole.exe
ImageLoaded|startswith:
- C:\Program Files\CheckPoint\
- C:\Program Files (x86)\CheckPoint\
ImageLoaded|endswith: \PolicyManager.dll
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-08-14
Data Sources
windowsImage Load Events
Platforms
windows
References
- https://hijacklibs.net/
- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
- https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001
Raw Content
title: Potential System DLL Sideloading From Non System Locations
id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
status: test
description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
- https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2025-12-03
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\aclui.dll'
- '\activeds.dll'
- '\adsldpc.dll'
- '\aepic.dll'
- '\apphelp.dll'
- '\applicationframe.dll'
- '\appvpolicy.dll'
- '\appxalluserstore.dll'
- '\appxdeploymentclient.dll'
- '\archiveint.dll'
- '\atl.dll'
- '\audioses.dll'
- '\auditpolcore.dll'
- '\authfwcfg.dll'
- '\authz.dll'
- '\avrt.dll'
- '\batmeter.dll'
- '\bcd.dll'
- '\bcp47langs.dll'
- '\bcp47mrm.dll'
- '\bcrypt.dll'
- '\bderepair.dll'
- '\bootmenuux.dll'
- '\bootux.dll'
- '\cabinet.dll'
- '\cabview.dll'
- '\certcli.dll'
- '\certenroll.dll'
- '\cfgmgr32.dll'
- '\cldapi.dll'
- '\clipc.dll'
- '\clusapi.dll'
- '\cmpbk32.dll'
- '\cmutil.dll'
- '\coloradapterclient.dll'
- '\colorui.dll'
- '\comdlg32.dll'
- '\configmanager2.dll'
- '\connect.dll'
- '\coredplus.dll'
- '\coremessaging.dll'
- '\coreuicomponents.dll'
- '\credui.dll'
- '\cryptbase.dll'
- '\cryptdll.dll'
- '\cryptsp.dll'
- '\cryptui.dll'
- '\cryptxml.dll'
- '\cscapi.dll'
- '\cscobj.dll'
- '\cscui.dll'
- '\d2d1.dll'
- '\d3d10_1.dll'
- '\d3d10_1core.dll'
- '\d3d10.dll'
- '\d3d10core.dll'
- '\d3d10warp.dll'
- '\d3d11.dll'
- '\d3d12.dll'
- '\d3d9.dll'
- '\d3dx9_43.dll'
- '\dataexchange.dll'
- '\davclnt.dll'
- '\dcntel.dll'
- '\dcomp.dll'
- '\defragproxy.dll'
- '\desktopshellext.dll'
- '\deviceassociation.dll'
- '\devicecredential.dll'
- '\devicepairing.dll'
- '\devobj.dll'
- '\devrtl.dll'
- '\dhcpcmonitor.dll'
- '\dhcpcsvc.dll'
- '\dhcpcsvc6.dll'
- '\directmanipulation.dll'
- '\dismapi.dll'
- '\dismcore.dll'
- '\dmcfgutils.dll'
- '\dmcmnutils.dll'
- '\dmcommandlineutils.dll'
- '\dmenrollengine.dll'
- '\dmenterprisediagnostics.dll'
- '\dmiso8601utils.dll'
- '\dmoleaututils.dll'
- '\dmprocessxmlfiltered.dll'
- '\dmpushproxy.dll'
- '\dmxmlhelputils.dll'
- '\dnsapi.dll'
- '\dot3api.dll'
- '\dot3cfg.dll'
- '\dpx.dll'
- '\drprov.dll'
- '\drvstore.dll'
- '\dsclient.dll'
- '\dsparse.dll'
- '\dsprop.dll'
- '\dsreg.dll'
- '\dsrole.dll'
- '\dui70.dll'
- '\duser.dll'
- '\dusmapi.dll'
- '\dwmapi.dll'
- '\dwmcore.dll'
- '\dwrite.dll'
- '\dxcore.dll'
- '\dxgi.dll'
- '\dxva2.dll'
- '\dynamoapi.dll'
- '\eappcfg.dll'
- '\eappprxy.dll'
- '\edgeiso.dll'
- '\edputil.dll'
- '\efsadu.dll'
- '\efsutil.dll'
- '\esent.dll'
- '\execmodelproxy.dll'
- '\explorerframe.dll'
- '\fastprox.dll'
- '\faultrep.dll'
- '\fddevquery.dll'
- '\feclient.dll'
- '\fhcfg.dll'
- '\fhsvcctl.dll'
- '\firewallapi.dll'
- '\flightsettings.dll'
- '\fltlib.dll'
- '\framedynos.dll'
- '\fveapi.dll'
- '\fveskybackup.dll'
- '\fvewiz.dll'
- '\fwbase.dll'
- '\fwcfg.dll'
- '\fwpolicyiomgr.dll'
- '\fwpuclnt.dll'
- '\fxsapi.dll'
- '\fxsst.dll'
- '\fxstiff.dll'
- '\getuname.dll'
- '\gpapi.dll'
- '\hid.dll'
- '\hnetmon.dll'
- '\httpapi.dll'
- '\icmp.dll'
- '\idstore.dll'
- '\ieadvpack.dll'
- '\iedkcs32.dll'
- '\iernonce.dll'
- '\iertutil.dll'
- '\ifmon.dll'
- '\ifsutil.dll'
- '\inproclogger.dll'
- '\iphlpapi.dll'
- '\iri.dll'
- '\iscsidsc.dll'
- '\iscsium.dll'
- '\isv.exe_rsaenh.dll'
- '\iumbase.dll'
- '\iumsdk.dll'
- '\joinutil.dll'
- '\kdstub.dll'
- '\ksuser.dll'
- '\ktmw32.dll'
- '\licensemanagerapi.dll'
- '\licensingdiagspp.dll'
- '\linkinfo.dll'
- '\loadperf.dll'
- '\lockhostingframework.dll'
- '\logoncli.dll'
- '\logoncontroller.dll'
- '\lpksetupproxyserv.dll'
- '\lrwizdll.dll'
- '\magnification.dll'
- '\maintenanceui.dll'
- '\mapistub.dll'
- '\mbaexmlparser.dll'
- '\mdmdiagnostics.dll'
- '\mfc42u.dll'
- '\mfcore.dll'
- '\mfplat.dll'
- '\mi.dll'
- '\midimap.dll'
- '\mintdh.dll'
- '\miutils.dll'
- '\mlang.dll'
- '\mmdevapi.dll'
- '\mobilenetworking.dll'
- '\mpr.dll'
- '\mprapi.dll'
- '\mrmcorer.dll'
- '\msacm32.dll'
- '\mscms.dll'
- '\mscoree.dll'
- '\msctf.dll'
- '\msctfmonitor.dll'
- '\msdrm.dll'
- '\msdtctm.dll'
- '\msftedit.dll'
- '\msi.dll'
- '\msiso.dll'
- '\msutb.dll'
- '\msvcp110_win.dll'
- '\mswb7.dll'
- '\mswsock.dll'
- '\msxml3.dll'
- '\mtxclu.dll'
- '\napinsp.dll'
- '\ncrypt.dll'
- '\ndfapi.dll'
- '\netapi32.dll'
- '\netid.dll'
- '\netiohlp.dll'
- '\netjoin.dll'
- '\netplwiz.dll'
- '\netprofm.dll'
- '\netprovfw.dll'
- '\netsetupapi.dll'
- '\netshell.dll'
- '\nettrace.dll'
- '\netutils.dll'
- '\networkexplorer.dll'
- '\newdev.dll'
- '\ninput.dll'
- '\nlaapi.dll'
- '\nlansp_c.dll'
- '\npmproxy.dll'
- '\nshhttp.dll'
- '\nshipsec.dll'
- '\nshwfp.dll'
- '\ntdsapi.dll'
- '\ntlanman.dll'
- '\ntlmshared.dll'
- '\ntmarta.dll'
- '\ntshrui.dll'
- '\oleacc.dll'
- '\omadmapi.dll'
- '\onex.dll'
- '\opcservices.dll'
- '\osbaseln.dll'
- '\osksupport.dll'
- '\osuninst.dll'
- '\p2p.dll'
- '\p2pnetsh.dll'
- '\p9np.dll'
- '\pcaui.dll'
- '\pdh.dll'
- '\peerdistsh.dll'
- '\pkeyhelper.dll'
- '\pla.dll'
- '\playsndsrv.dll'
- '\pnrpnsp.dll'
- '\policymanager.dll'
- '\polstore.dll'
- '\powrprof.dll'
- '\printui.dll'
- '\prntvpt.dll'
- '\profapi.dll'
- '\propsys.dll'
- '\proximitycommon.dll'
- '\proximityservicepal.dll'
- '\prvdmofcomp.dll'
- '\puiapi.dll'
- '\radcui.dll'
- '\rasapi32.dll'
- '\rasdlg.dll'
- '\rasgcw.dll'
- '\rasman.dll'
- '\rasmontr.dll'
- '\reagent.dll'
- '\regapi.dll'
- '\reseteng.dll'
- '\resetengine.dll'
- '\resutils.dll'
- '\rmclient.dll'
- '\rpcnsh.dll'
- '\rsaenh.dll'
- '\rtutils.dll'
- '\rtworkq.dll'
- '\samcli.dll'
- '\samlib.dll'
- '\sapi_onecore.dll'
- '\sas.dll'
- '\scansetting.dll'
- '\scecli.dll'
- '\schedcli.dll'
- '\secur32.dll'
- '\security.dll'
- '\sensapi.dll'
- '\shell32.dll'
- '\shfolder.dll'
- '\slc.dll'
- '\snmpapi.dll'
- '\spectrumsyncclient.dll'
- '\spp.dll'
- '\sppc.dll'
- '\sppcext.dll'
- '\srclient.dll'
- '\srcore.dll'
- '\srmtrace.dll'
- '\srpapi.dll'
- '\srvcli.dll'
- '\ssp_isv.exe_rsaenh.dll'
- '\ssp.exe_rsaenh.dll'
- '\sspicli.dll'
- '\ssshim.dll'
- '\staterepository.core.dll'
- '\structuredquery.dll'
- '\sxshared.dll'
- '\systemsettingsthresholdadminflowui.dll'
- '\tapi32.dll'
- '\tbs.dll'
- '\tdh.dll'
- '\textshaping.dll'
- '\timesync.dll'
- '\tpmcoreprovisioning.dll'
- '\tquery.dll'
- '\tsworkspace.dll'
- '\ttdrecord.dll'
- '\twext.dll'
- '\twinapi.dll'
- '\twinui.appcore.dll'
- '\uianimation.dll'
- '\uiautomationcore.dll'
- '\uireng.dll'
- '\uiribbon.dll'
- '\umpdc.dll'
- '\unattend.dll'
- '\updatepolicy.dll'
- '\upshared.dll'
- '\urlmon.dll'
- '\userenv.dll'
- '\utildll.dll'
- '\uxinit.dll'
- '\uxtheme.dll'
- '\vaultcli.dll'
- '\vdsutil.dll'
- '\version.dll'
- '\virtdisk.dll'
- '\vssapi.dll'
- '\vsstrace.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\wcmapi.dll'
- '\wcnnetsh.dll'
- '\wdi.dll'
- '\wdscore.dll'
- '\webservices.dll'
- '\wecapi.dll'
- '\wer.dll'
- '\wevtapi.dll'
- '\whhelper.dll'
- '\wimgapi.dll'
- '\winbio.dll'
- '\winbrand.dll'
- '\windows.storage.dll'
- '\windows.storage.search.dll'
- '\windows.ui.immersive.dll'
- '\windowscodecs.dll'
- '\windowscodecsext.dll'
- '\windowsudk.shellcommon.dll'
- '\winhttp.dll'
- '\wininet.dll'
- '\winipsec.dll'
- '\winmde.dll'
- '\winmm.dll'
- '\winnsi.dll'
- '\winrnr.dll'
- '\winscard.dll'
- '\winsqlite3.dll'
- '\winsta.dll'
- '\winsync.dll'
- '\wkscli.dll'
- '\wlanapi.dll'
- '\wlancfg.dll'
- '\wldp.dll'
- '\wlidprov.dll'
- '\wmiclnt.dll'
- '\wmidcom.dll'
- '\wmiutils.dll'
- '\wmpdui.dll'
- '\wmsgapi.dll'
- '\wofutil.dll'
- '\wpdshext.dll'
- '\wscapi.dll'
- '\wsdapi.dll'
- '\wshbth.dll'
- '\wshelper.dll'
- '\wsmsvc.dll'
- '\wtsapi32.dll'
- '\wwancfg.dll'
- '\wwapi.dll'
- '\xmllite.dll'
- '\xolehlp.dll'
- '\xpsservices.dll'
- '\xwizards.dll'
- '\xwtpw32.dll'
# From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md
- '\amsi.dll'
- '\appraiser.dll'
- '\COMRES.DLL'
- '\cryptnet.dll'
- '\DispBroker.dll'
- '\dsound.dll'
- '\dxilconv.dll'
- '\FxsCompose.dll'
- '\FXSRESM.DLL'
- '\msdtcVSp1res.dll'
- '\PrintIsolationProxy.dll'
- '\rdpendp.dll'
- '\rpchttp.dll'
- '\storageusage.dll'
- '\utcutil.dll'
- '\WfsR.dll'
# The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)
- '\igd10iumd64.dll'
- '\igd12umd64.dll'
- '\igdumdim64.dll'
- '\igdusc64.dll'
# Other
- '\TSMSISrv.dll'
- '\TSVIPSrv.dll'
- '\wbemcomn.dll'
- '\WLBSCTRL.dll'
- '\wow64log.dll'
- '\WptsExtensions.dll'
filter_main_generic:
# Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
ImageLoaded|contains:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\SyChpe32\' # “hybrid” binaries containing x86-to-ARM stubs to improve the x86 emulation performance
filter_main_windows_temp:
ImageLoaded|startswith: 'C:\Windows\Temp\'
Image|startswith:
- 'C:\Windows\WinSxS\arm64'
- 'C:\Windows\UUS\arm64\'
Image|endswith:
- '\TiWorker.exe'
- '\wuaucltcore.exe'
filter_main_dot_net:
ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
ImageLoaded|endswith: '\cscui.dll'
filter_main_defender:
ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ImageLoaded|endswith: '\version.dll'
filter_main_directx:
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
ImageLoaded|endswith: '\d3dx9_43.dll'
filter_optional_exchange:
ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
ImageLoaded|endswith: '\mswb7.dll'
filter_optional_arsenal_image_mounter:
ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
ImageLoaded|endswith:
- '\mi.dll'
- '\miutils.dl'
filter_optional_office_appvpolicy:
Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
filter_optional_azure:
ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_optional_dell:
Image|contains:
- 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
- 'C:\Windows\System32\backgroundTaskHost.exe'
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
filter_optional_dell_wldp:
Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
Image|endswith: '\wldp.dll'
filter_optional_checkpoint:
Image|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
Image|endswith: '\SmartConsole.exe'
ImageLoaded|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
ImageLoaded|endswith: '\PolicyManager.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications loading their own versions of the DLLs mentioned in this rule
level: high