Potential Antivirus Software DLL Sideloading

Status: test
Severity: medium
Log source: product windows, category image_load
Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
Source: github.com/SigmaHQ/sigma

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1574.001` Hijack Execution Flow: DLL
Stealth	`T1574.001` Hijack Execution Flow: DLL

Event coverage

Provider	Event	Title
Sysmon	Event ID 7	Image loaded

Rule body yaml

title: Potential Antivirus Software DLL Sideloading
id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
status: test
description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    # Bitdefender
    selection_bitdefender:
        ImageLoaded|endswith: '\log.dll'
    filter_log_dll_bitdefender:
        ImageLoaded|startswith:
            - 'C:\Program Files\Bitdefender Antivirus Free\'
            - 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
    filter_log_dll_dell_sar:
        Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
        ImageLoaded:
            - 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
            - 'C:\Program Files\Dell\SARemediation\audit\log.dll'
    filter_log_dll_canon:
        ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
    filter_log_dll_avast:
        ImageLoaded:
            - 'C:\Program Files\AVAST Software\Avast\log.dll'
            - 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
    filter_log_dll_avg:
        ImageLoaded:
            - 'C:\Program Files\AVG\Antivirus\log.dll'
            - 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
    # F-Secure
    selection_fsecure:
        ImageLoaded|endswith: '\qrt.dll'
    filter_fsecure:
        ImageLoaded|startswith:
            - 'C:\Program Files\F-Secure\Anti-Virus\'
            - 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
    # McAfee
    selection_mcafee:
        ImageLoaded|endswith:
            - '\ashldres.dll'
            - '\lockdown.dll'
            - '\vsodscpl.dll'
    filter_mcafee:
        ImageLoaded|startswith:
            - 'C:\Program Files\McAfee\'
            - 'C:\Program Files (x86)\McAfee\'
    # CyberArk
    selection_cyberark:
        ImageLoaded|endswith: '\vftrace.dll'
    filter_cyberark:
        ImageLoaded|startswith:
            - 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
            - 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
    # Avast
    selection_avast:
        ImageLoaded|endswith: '\wsc.dll'
    filter_wsc_dll_avast:
        ImageLoaded|startswith:
            - 'C:\program Files\AVAST Software\Avast\'
            - 'C:\program Files (x86)\AVAST Software\Avast\'
    filter_wsc_dll_avg:
        ImageLoaded|startswith:
            - 'C:\Program Files\AVG\Antivirus\'
            - 'C:\Program Files (x86)\AVG\Antivirus\'
    # ESET
    selection_eset_deslock:
        ImageLoaded|endswith: '\DLPPREM32.dll'
    filter_eset_deslock:
        ImageLoaded|startswith:
            - 'C:\program Files\ESET'
            - 'C:\program Files (x86)\ESET'
    # Trend Micro Titanium
    selection_titanium:
        ImageLoaded|endswith: '\tmdbglog.dll'
    filter_titanium:
        ImageLoaded|startswith:
            - 'C:\program Files\Trend Micro\Titanium\'
            - 'C:\program Files (x86)\Trend Micro\Titanium\'
    condition: (selection_bitdefender and not 1 of filter_log_dll_*)
               or (selection_fsecure and not filter_fsecure)
               or (selection_mcafee and not filter_mcafee)
               or (selection_cyberark and not filter_cyberark)
               or (selection_avast and not 1 of filter_wsc_dll_*)
               or (selection_titanium and not filter_titanium)
               or (selection_eset_deslock and not filter_eset_deslock)
falsepositives:
    - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
    - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
    - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
level: medium

Stages and Predicates

Stage 0: `condition`

(selection_bitdefender and not 1 of filter_log_dll_*)

Stage 1: `selection_bitdefender`

selection_bitdefender:
    ImageLoaded|endswith: '\log.dll'

Stage 2: `not filter_log_dll_*`

filter_log_dll_bitdefender:
    ImageLoaded|startswith:
        - 'C:\Program Files\Bitdefender Antivirus Free\'
        - 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
filter_log_dll_dell_sar:
    Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
    ImageLoaded:
        - 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
        - 'C:\Program Files\Dell\SARemediation\audit\log.dll'
filter_log_dll_canon:
    ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
filter_log_dll_avast:
    ImageLoaded:
        - 'C:\Program Files\AVAST Software\Avast\log.dll'
        - 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
filter_log_dll_avg:
    ImageLoaded:
        - 'C:\Program Files\AVG\Antivirus\log.dll'
        - 'C:\Program Files (x86)\AVG\Antivirus\log.dll'

Stage 3: `selection_fsecure`

selection_fsecure:
    ImageLoaded|endswith: '\qrt.dll'

Stage 4: `not filter_fsecure`

filter_fsecure:
    ImageLoaded|startswith:
        - 'C:\Program Files\F-Secure\Anti-Virus\'
        - 'C:\Program Files (x86)\F-Secure\Anti-Virus\'

Stage 5: `selection_mcafee`

selection_mcafee:
    ImageLoaded|endswith:
        - '\ashldres.dll'
        - '\lockdown.dll'
        - '\vsodscpl.dll'

Stage 6: `not filter_mcafee`

filter_mcafee:
    ImageLoaded|startswith:
        - 'C:\Program Files\McAfee\'
        - 'C:\Program Files (x86)\McAfee\'

Stage 7: `selection_cyberark`

selection_cyberark:
    ImageLoaded|endswith: '\vftrace.dll'

Stage 8: `not filter_cyberark`

filter_cyberark:
    ImageLoaded|startswith:
        - 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
        - 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'

Stage 9: `selection_avast`

selection_avast:
    ImageLoaded|endswith: '\wsc.dll'

Stage 10: `not filter_wsc_dll_*`

filter_wsc_dll_avast:
    ImageLoaded|startswith:
        - 'C:\program Files\AVAST Software\Avast\'
        - 'C:\program Files (x86)\AVAST Software\Avast\'
filter_wsc_dll_avg:
    ImageLoaded|startswith:
        - 'C:\Program Files\AVG\Antivirus\'
        - 'C:\Program Files (x86)\AVG\Antivirus\'

Stage 11: `selection_titanium`

selection_titanium:
    ImageLoaded|endswith: '\tmdbglog.dll'

Stage 12: `not filter_titanium`

filter_titanium:
    ImageLoaded|startswith:
        - 'C:\program Files\Trend Micro\Titanium\'
        - 'C:\program Files (x86)\Trend Micro\Titanium\'

Stage 13: `selection_eset_deslock`

selection_eset_deslock:
    ImageLoaded|endswith: '\DLPPREM32.dll'

Stage 14: `not filter_eset_deslock`

filter_eset_deslock:
    ImageLoaded|startswith:
        - 'C:\program Files\ESET'
        - 'C:\program Files (x86)\ESET'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`ImageLoaded`	eq	`C:\Program Files\Dell\SARemediation\audit\log.dll`
`ImageLoaded`	eq	`C:\Program Files\Dell\SARemediation\plugin\log.dll`
`Image`	eq	`C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe`
`ImageLoaded`	eq	`C:\Program Files (x86)\AVAST Software\Avast\log.dll`
`ImageLoaded`	eq	`C:\Program Files (x86)\AVG\Antivirus\log.dll`
`ImageLoaded`	eq	`C:\Program Files\AVAST Software\Avast\log.dll`
`ImageLoaded`	eq	`C:\Program Files\AVG\Antivirus\log.dll`
`ImageLoaded`	starts_with	`C:\Program Files (x86)\Bitdefender Antivirus Free\`
`ImageLoaded`	starts_with	`C:\Program Files\Bitdefender Antivirus Free\`
`ImageLoaded`	starts_with	`C:\Program Files\Canon\MyPrinter\`
`ImageLoaded`	starts_with	`C:\Program Files (x86)\F-Secure\Anti-Virus\`
`ImageLoaded`	starts_with	`C:\Program Files\F-Secure\Anti-Virus\`
`ImageLoaded`	starts_with	`C:\Program Files (x86)\McAfee\`
`ImageLoaded`	starts_with	`C:\Program Files\McAfee\`
`ImageLoaded`	starts_with	`C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\`
`ImageLoaded`	starts_with	`C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\`
`ImageLoaded`	starts_with	`C:\Program Files (x86)\AVG\Antivirus\`
`ImageLoaded`	starts_with	`C:\Program Files\AVG\Antivirus\`
`ImageLoaded`	starts_with	`C:\program Files (x86)\AVAST Software\Avast\`
`ImageLoaded`	starts_with	`C:\program Files\AVAST Software\Avast\`
`ImageLoaded`	starts_with	`C:\program Files (x86)\Trend Micro\Titanium\`
`ImageLoaded`	starts_with	`C:\program Files\Trend Micro\Titanium\`
`ImageLoaded`	starts_with	`C:\program Files (x86)\ESET`
`ImageLoaded`	starts_with	`C:\program Files\ESET`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ImageLoaded`	ends_with	`\DLPPREM32.dll` `\ashldres.dll` `\lockdown.dll` `\log.dll` `\qrt.dll` `\tmdbglog.dll` `\vftrace.dll` `\vsodscpl.dll` `\wsc.dll`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Potential Antivirus Software DLL Sideloading

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection_bitdefender`

Stage 2: `not filter_log_dll_*`

Stage 3: `selection_fsecure`

Stage 4: `not filter_fsecure`

Stage 5: `selection_mcafee`

Stage 6: `not filter_mcafee`

Stage 7: `selection_cyberark`

Stage 8: `not filter_cyberark`

Stage 9: `selection_avast`

Stage 10: `not filter_wsc_dll_*`

Stage 11: `selection_titanium`

Stage 12: `not filter_titanium`

Stage 13: `selection_eset_deslock`

Stage 14: `not filter_eset_deslock`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Potential Antivirus Software DLL Sideloading

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection_bitdefender

Stage 2: not filter_log_dll_*

Stage 3: selection_fsecure

Stage 4: not filter_fsecure

Stage 5: selection_mcafee

Stage 6: not filter_mcafee

Stage 7: selection_cyberark

Stage 8: not filter_cyberark

Stage 9: selection_avast

Stage 10: not filter_wsc_dll_*

Stage 11: selection_titanium

Stage 12: not filter_titanium

Stage 13: selection_eset_deslock

Stage 14: not filter_eset_deslock

Exclusions

Indicators

Stage 0: `condition`

Stage 1: `selection_bitdefender`

Stage 2: `not filter_log_dll_*`

Stage 3: `selection_fsecure`

Stage 4: `not filter_fsecure`

Stage 5: `selection_mcafee`

Stage 6: `not filter_mcafee`

Stage 7: `selection_cyberark`

Stage 8: `not filter_cyberark`

Stage 9: `selection_avast`

Stage 10: `not filter_wsc_dll_*`

Stage 11: `selection_titanium`

Stage 12: `not filter_titanium`

Stage 13: `selection_eset_deslock`

Stage 14: `not filter_eset_deslock`