Potential System DLL Sideloading From Non System Locations

Status: test
Severity: high
Log source: product windows, category image_load
Author: Nasreddine Bencherchali (Nextron Systems)
Source: github.com/SigmaHQ/sigma

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1574.001` Hijack Execution Flow: DLL
Stealth	`T1574.001` Hijack Execution Flow: DLL

Event coverage

Provider	Event	Title
Sysmon	Event ID 7	Image loaded

Rule body yaml

title: Potential System DLL Sideloading From Non System Locations
id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
status: test
description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
    - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
    - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
    - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2025-12-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\aclui.dll'
            - '\activeds.dll'
            - '\adsldpc.dll'
            - '\aepic.dll'
            - '\apphelp.dll'
            - '\applicationframe.dll'
            - '\appvpolicy.dll'
            - '\appxalluserstore.dll'
            - '\appxdeploymentclient.dll'
            - '\archiveint.dll'
            - '\atl.dll'
            - '\audioses.dll'
            - '\auditpolcore.dll'
            - '\authfwcfg.dll'
            - '\authz.dll'
            - '\avrt.dll'
            - '\batmeter.dll'
            - '\bcd.dll'
            - '\bcp47langs.dll'
            - '\bcp47mrm.dll'
            - '\bcrypt.dll'
            - '\bderepair.dll'
            - '\bootmenuux.dll'
            - '\bootux.dll'
            - '\cabinet.dll'
            - '\cabview.dll'
            - '\certcli.dll'
            - '\certenroll.dll'
            - '\cfgmgr32.dll'
            - '\cldapi.dll'
            - '\clipc.dll'
            - '\clusapi.dll'
            - '\cmpbk32.dll'
            - '\cmutil.dll'
            - '\coloradapterclient.dll'
            - '\colorui.dll'
            - '\comdlg32.dll'
            - '\configmanager2.dll'
            - '\connect.dll'
            - '\coredplus.dll'
            - '\coremessaging.dll'
            - '\coreuicomponents.dll'
            - '\credui.dll'
            - '\cryptbase.dll'
            - '\cryptdll.dll'
            - '\cryptsp.dll'
            - '\cryptui.dll'
            - '\cryptxml.dll'
            - '\cscapi.dll'
            - '\cscobj.dll'
            - '\cscui.dll'
            - '\d2d1.dll'
            - '\d3d10_1.dll'
            - '\d3d10_1core.dll'
            - '\d3d10.dll'
            - '\d3d10core.dll'
            - '\d3d10warp.dll'
            - '\d3d11.dll'
            - '\d3d12.dll'
            - '\d3d9.dll'
            - '\d3dx9_43.dll'
            - '\dataexchange.dll'
            - '\davclnt.dll'
            - '\dcntel.dll'
            - '\dcomp.dll'
            - '\defragproxy.dll'
            - '\desktopshellext.dll'
            - '\deviceassociation.dll'
            - '\devicecredential.dll'
            - '\devicepairing.dll'
            - '\devobj.dll'
            - '\devrtl.dll'
            - '\dhcpcmonitor.dll'
            - '\dhcpcsvc.dll'
            - '\dhcpcsvc6.dll'
            - '\directmanipulation.dll'
            - '\dismapi.dll'
            - '\dismcore.dll'
            - '\dmcfgutils.dll'
            - '\dmcmnutils.dll'
            - '\dmcommandlineutils.dll'
            - '\dmenrollengine.dll'
            - '\dmenterprisediagnostics.dll'
            - '\dmiso8601utils.dll'
            - '\dmoleaututils.dll'
            - '\dmprocessxmlfiltered.dll'
            - '\dmpushproxy.dll'
            - '\dmxmlhelputils.dll'
            - '\dnsapi.dll'
            - '\dot3api.dll'
            - '\dot3cfg.dll'
            - '\dpx.dll'
            - '\drprov.dll'
            - '\drvstore.dll'
            - '\dsclient.dll'
            - '\dsparse.dll'
            - '\dsprop.dll'
            - '\dsreg.dll'
            - '\dsrole.dll'
            - '\dui70.dll'
            - '\duser.dll'
            - '\dusmapi.dll'
            - '\dwmapi.dll'
            - '\dwmcore.dll'
            - '\dwrite.dll'
            - '\dxcore.dll'
            - '\dxgi.dll'
            - '\dxva2.dll'
            - '\dynamoapi.dll'
            - '\eappcfg.dll'
            - '\eappprxy.dll'
            - '\edgeiso.dll'
            - '\edputil.dll'
            - '\efsadu.dll'
            - '\efsutil.dll'
            - '\esent.dll'
            - '\execmodelproxy.dll'
            - '\explorerframe.dll'
            - '\fastprox.dll'
            - '\faultrep.dll'
            - '\fddevquery.dll'
            - '\feclient.dll'
            - '\fhcfg.dll'
            - '\fhsvcctl.dll'
            - '\firewallapi.dll'
            - '\flightsettings.dll'
            - '\fltlib.dll'
            - '\framedynos.dll'
            - '\fveapi.dll'
            - '\fveskybackup.dll'
            - '\fvewiz.dll'
            - '\fwbase.dll'
            - '\fwcfg.dll'
            - '\fwpolicyiomgr.dll'
            - '\fwpuclnt.dll'
            - '\fxsapi.dll'
            - '\fxsst.dll'
            - '\fxstiff.dll'
            - '\getuname.dll'
            - '\gpapi.dll'
            - '\hid.dll'
            - '\hnetmon.dll'
            - '\httpapi.dll'
            - '\icmp.dll'
            - '\idstore.dll'
            - '\ieadvpack.dll'
            - '\iedkcs32.dll'
            - '\iernonce.dll'
            - '\iertutil.dll'
            - '\ifmon.dll'
            - '\ifsutil.dll'
            - '\inproclogger.dll'
            - '\iphlpapi.dll'
            - '\iri.dll'
            - '\iscsidsc.dll'
            - '\iscsium.dll'
            - '\isv.exe_rsaenh.dll'
            - '\iumbase.dll'
            - '\iumsdk.dll'
            - '\joinutil.dll'
            - '\kdstub.dll'
            - '\ksuser.dll'
            - '\ktmw32.dll'
            - '\licensemanagerapi.dll'
            - '\licensingdiagspp.dll'
            - '\linkinfo.dll'
            - '\loadperf.dll'
            - '\lockhostingframework.dll'
            - '\logoncli.dll'
            - '\logoncontroller.dll'
            - '\lpksetupproxyserv.dll'
            - '\lrwizdll.dll'
            - '\magnification.dll'
            - '\maintenanceui.dll'
            - '\mapistub.dll'
            - '\mbaexmlparser.dll'
            - '\mdmdiagnostics.dll'
            - '\mfc42u.dll'
            - '\mfcore.dll'
            - '\mfplat.dll'
            - '\mi.dll'
            - '\midimap.dll'
            - '\mintdh.dll'
            - '\miutils.dll'
            - '\mlang.dll'
            - '\mmdevapi.dll'
            - '\mobilenetworking.dll'
            - '\mpr.dll'
            - '\mprapi.dll'
            - '\mrmcorer.dll'
            - '\msacm32.dll'
            - '\mscms.dll'
            - '\mscoree.dll'
            - '\msctf.dll'
            - '\msctfmonitor.dll'
            - '\msdrm.dll'
            - '\msdtctm.dll'
            - '\msftedit.dll'
            - '\msi.dll'
            - '\msiso.dll'
            - '\msutb.dll'
            - '\msvcp110_win.dll'
            - '\mswb7.dll'
            - '\mswsock.dll'
            - '\msxml3.dll'
            - '\mtxclu.dll'
            - '\napinsp.dll'
            - '\ncrypt.dll'
            - '\ndfapi.dll'
            - '\netapi32.dll'
            - '\netid.dll'
            - '\netiohlp.dll'
            - '\netjoin.dll'
            - '\netplwiz.dll'
            - '\netprofm.dll'
            - '\netprovfw.dll'
            - '\netsetupapi.dll'
            - '\netshell.dll'
            - '\nettrace.dll'
            - '\netutils.dll'
            - '\networkexplorer.dll'
            - '\newdev.dll'
            - '\ninput.dll'
            - '\nlaapi.dll'
            - '\nlansp_c.dll'
            - '\npmproxy.dll'
            - '\nshhttp.dll'
            - '\nshipsec.dll'
            - '\nshwfp.dll'
            - '\ntdsapi.dll'
            - '\ntlanman.dll'
            - '\ntlmshared.dll'
            - '\ntmarta.dll'
            - '\ntshrui.dll'
            - '\oleacc.dll'
            - '\omadmapi.dll'
            - '\onex.dll'
            - '\opcservices.dll'
            - '\osbaseln.dll'
            - '\osksupport.dll'
            - '\osuninst.dll'
            - '\p2p.dll'
            - '\p2pnetsh.dll'
            - '\p9np.dll'
            - '\pcaui.dll'
            - '\pdh.dll'
            - '\peerdistsh.dll'
            - '\pkeyhelper.dll'
            - '\pla.dll'
            - '\playsndsrv.dll'
            - '\pnrpnsp.dll'
            - '\policymanager.dll'
            - '\polstore.dll'
            - '\powrprof.dll'
            - '\printui.dll'
            - '\prntvpt.dll'
            - '\profapi.dll'
            - '\propsys.dll'
            - '\proximitycommon.dll'
            - '\proximityservicepal.dll'
            - '\prvdmofcomp.dll'
            - '\puiapi.dll'
            - '\radcui.dll'
            - '\rasapi32.dll'
            - '\rasdlg.dll'
            - '\rasgcw.dll'
            - '\rasman.dll'
            - '\rasmontr.dll'
            - '\reagent.dll'
            - '\regapi.dll'
            - '\reseteng.dll'
            - '\resetengine.dll'
            - '\resutils.dll'
            - '\rmclient.dll'
            - '\rpcnsh.dll'
            - '\rsaenh.dll'
            - '\rtutils.dll'
            - '\rtworkq.dll'
            - '\samcli.dll'
            - '\samlib.dll'
            - '\sapi_onecore.dll'
            - '\sas.dll'
            - '\scansetting.dll'
            - '\scecli.dll'
            - '\schedcli.dll'
            - '\secur32.dll'
            - '\security.dll'
            - '\sensapi.dll'
            - '\shell32.dll'
            - '\shfolder.dll'
            - '\slc.dll'
            - '\snmpapi.dll'
            - '\spectrumsyncclient.dll'
            - '\spp.dll'
            - '\sppc.dll'
            - '\sppcext.dll'
            - '\srclient.dll'
            - '\srcore.dll'
            - '\srmtrace.dll'
            - '\srpapi.dll'
            - '\srvcli.dll'
            - '\ssp_isv.exe_rsaenh.dll'
            - '\ssp.exe_rsaenh.dll'
            - '\sspicli.dll'
            - '\ssshim.dll'
            - '\staterepository.core.dll'
            - '\structuredquery.dll'
            - '\sxshared.dll'
            - '\systemsettingsthresholdadminflowui.dll'
            - '\tapi32.dll'
            - '\tbs.dll'
            - '\tdh.dll'
            - '\textshaping.dll'
            - '\timesync.dll'
            - '\tpmcoreprovisioning.dll'
            - '\tquery.dll'
            - '\tsworkspace.dll'
            - '\ttdrecord.dll'
            - '\twext.dll'
            - '\twinapi.dll'
            - '\twinui.appcore.dll'
            - '\uianimation.dll'
            - '\uiautomationcore.dll'
            - '\uireng.dll'
            - '\uiribbon.dll'
            - '\umpdc.dll'
            - '\unattend.dll'
            - '\updatepolicy.dll'
            - '\upshared.dll'
            - '\urlmon.dll'
            - '\userenv.dll'
            - '\utildll.dll'
            - '\uxinit.dll'
            - '\uxtheme.dll'
            - '\vaultcli.dll'
            - '\vdsutil.dll'
            - '\version.dll'
            - '\virtdisk.dll'
            - '\vssapi.dll'
            - '\vsstrace.dll'
            - '\wbemprox.dll'
            - '\wbemsvc.dll'
            - '\wcmapi.dll'
            - '\wcnnetsh.dll'
            - '\wdi.dll'
            - '\wdscore.dll'
            - '\webservices.dll'
            - '\wecapi.dll'
            - '\wer.dll'
            - '\wevtapi.dll'
            - '\whhelper.dll'
            - '\wimgapi.dll'
            - '\winbio.dll'
            - '\winbrand.dll'
            - '\windows.storage.dll'
            - '\windows.storage.search.dll'
            - '\windows.ui.immersive.dll'
            - '\windowscodecs.dll'
            - '\windowscodecsext.dll'
            - '\windowsudk.shellcommon.dll'
            - '\winhttp.dll'
            - '\wininet.dll'
            - '\winipsec.dll'
            - '\winmde.dll'
            - '\winmm.dll'
            - '\winnsi.dll'
            - '\winrnr.dll'
            - '\winscard.dll'
            - '\winsqlite3.dll'
            - '\winsta.dll'
            - '\winsync.dll'
            - '\wkscli.dll'
            - '\wlanapi.dll'
            - '\wlancfg.dll'
            - '\wldp.dll'
            - '\wlidprov.dll'
            - '\wmiclnt.dll'
            - '\wmidcom.dll'
            - '\wmiutils.dll'
            - '\wmpdui.dll'
            - '\wmsgapi.dll'
            - '\wofutil.dll'
            - '\wpdshext.dll'
            - '\wscapi.dll'
            - '\wsdapi.dll'
            - '\wshbth.dll'
            - '\wshelper.dll'
            - '\wsmsvc.dll'
            - '\wtsapi32.dll'
            - '\wwancfg.dll'
            - '\wwapi.dll'
            - '\xmllite.dll'
            - '\xolehlp.dll'
            - '\xpsservices.dll'
            - '\xwizards.dll'
            - '\xwtpw32.dll'
            # From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md
            - '\amsi.dll'
            - '\appraiser.dll'
            - '\COMRES.DLL'
            - '\cryptnet.dll'
            - '\DispBroker.dll'
            - '\dsound.dll'
            - '\dxilconv.dll'
            - '\FxsCompose.dll'
            - '\FXSRESM.DLL'
            - '\msdtcVSp1res.dll'
            - '\PrintIsolationProxy.dll'
            - '\rdpendp.dll'
            - '\rpchttp.dll'
            - '\storageusage.dll'
            - '\utcutil.dll'
            - '\WfsR.dll'
            # The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)
            - '\igd10iumd64.dll'
            - '\igd12umd64.dll'
            - '\igdumdim64.dll'
            - '\igdusc64.dll'
            # Other
            - '\TSMSISrv.dll'
            - '\TSVIPSrv.dll'
            - '\wbemcomn.dll'
            - '\WLBSCTRL.dll'
            - '\wow64log.dll'
            - '\WptsExtensions.dll'
    filter_main_generic:
        # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
        ImageLoaded|contains:
            - 'C:\$WINDOWS.~BT\'
            - 'C:\$WinREAgent\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemTemp\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\SyChpe32\' # “hybrid” binaries containing x86-to-ARM stubs to improve the x86 emulation performance
    filter_main_windows_temp:
        ImageLoaded|startswith: 'C:\Windows\Temp\'
        Image|startswith:
            - 'C:\Windows\WinSxS\arm64'
            - 'C:\Windows\UUS\arm64\'
        Image|endswith:
            - '\TiWorker.exe'
            - '\wuaucltcore.exe'
    filter_main_dot_net:
        ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
        ImageLoaded|endswith: '\cscui.dll'
    filter_main_defender:
        ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        ImageLoaded|endswith: '\version.dll'
    filter_main_directx:
        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
        ImageLoaded|endswith: '\d3dx9_43.dll'
    filter_optional_exchange:
        ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
        ImageLoaded|endswith: '\mswb7.dll'
    filter_optional_arsenal_image_mounter:
        ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
        ImageLoaded|endswith:
            - '\mi.dll'
            - '\miutils.dl'
    filter_optional_office_appvpolicy:
        Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
        ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
    filter_optional_azure:
        ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
    filter_optional_dell:
        Image|contains:
            - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
            - 'C:\Windows\System32\backgroundTaskHost.exe'
        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
    filter_optional_dell_wldp:
        Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
        Image|endswith: '\wldp.dll'
    filter_optional_checkpoint:
        Image|startswith:
            - 'C:\Program Files\CheckPoint\'
            - 'C:\Program Files (x86)\CheckPoint\'
        Image|endswith: '\SmartConsole.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files\CheckPoint\'
            - 'C:\Program Files (x86)\CheckPoint\'
        ImageLoaded|endswith: '\PolicyManager.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications loading their own versions of the DLLs mentioned in this rule
level: high

Stages and Predicates

Stage 0: `condition`

selection and not 1 of filter_main_* and not 1 of filter_optional_*

Stage 1: `selection`

selection:
    ImageLoaded|endswith:
        - '\aclui.dll'
        - '\activeds.dll'
        - '\adsldpc.dll'
        - '\aepic.dll'
        - '\apphelp.dll'
        - '\applicationframe.dll'
        - '\appvpolicy.dll'
        - '\appxalluserstore.dll'
        - '\appxdeploymentclient.dll'
        - '\archiveint.dll'
        - '\atl.dll'
        - '\audioses.dll'
        - '\auditpolcore.dll'
        - '\authfwcfg.dll'
        - '\authz.dll'
        - '\avrt.dll'
        - '\batmeter.dll'
        - '\bcd.dll'
        - '\bcp47langs.dll'
        - '\bcp47mrm.dll'
        - '\bcrypt.dll'
        - '\bderepair.dll'
        - '\bootmenuux.dll'
        - '\bootux.dll'
        - '\cabinet.dll'
        - '\cabview.dll'
        - '\certcli.dll'
        - '\certenroll.dll'
        - '\cfgmgr32.dll'
        - '\cldapi.dll'
        - '\clipc.dll'
        - '\clusapi.dll'
        - '\cmpbk32.dll'
        - '\cmutil.dll'
        - '\coloradapterclient.dll'
        - '\colorui.dll'
        - '\comdlg32.dll'
        - '\configmanager2.dll'
        - '\connect.dll'
        - '\coredplus.dll'
        - '\coremessaging.dll'
        - '\coreuicomponents.dll'
        - '\credui.dll'
        - '\cryptbase.dll'
        - '\cryptdll.dll'
        - '\cryptsp.dll'
        - '\cryptui.dll'
        - '\cryptxml.dll'
        - '\cscapi.dll'
        - '\cscobj.dll'
        - '\cscui.dll'
        - '\d2d1.dll'
        - '\d3d10_1.dll'
        - '\d3d10_1core.dll'
        - '\d3d10.dll'
        - '\d3d10core.dll'
        - '\d3d10warp.dll'
        - '\d3d11.dll'
        - '\d3d12.dll'
        - '\d3d9.dll'
        - '\d3dx9_43.dll'
        - '\dataexchange.dll'
        - '\davclnt.dll'
        - '\dcntel.dll'
        - '\dcomp.dll'
        - '\defragproxy.dll'
        - '\desktopshellext.dll'
        - '\deviceassociation.dll'
        - '\devicecredential.dll'
        - '\devicepairing.dll'
        - '\devobj.dll'
        - '\devrtl.dll'
        - '\dhcpcmonitor.dll'
        - '\dhcpcsvc.dll'
        - '\dhcpcsvc6.dll'
        - '\directmanipulation.dll'
        - '\dismapi.dll'
        - '\dismcore.dll'
        - '\dmcfgutils.dll'
        - '\dmcmnutils.dll'
        - '\dmcommandlineutils.dll'
        - '\dmenrollengine.dll'
        - '\dmenterprisediagnostics.dll'
        - '\dmiso8601utils.dll'
        - '\dmoleaututils.dll'
        - '\dmprocessxmlfiltered.dll'
        - '\dmpushproxy.dll'
        - '\dmxmlhelputils.dll'
        - '\dnsapi.dll'
        - '\dot3api.dll'
        - '\dot3cfg.dll'
        - '\dpx.dll'
        - '\drprov.dll'
        - '\drvstore.dll'
        - '\dsclient.dll'
        - '\dsparse.dll'
        - '\dsprop.dll'
        - '\dsreg.dll'
        - '\dsrole.dll'
        - '\dui70.dll'
        - '\duser.dll'
        - '\dusmapi.dll'
        - '\dwmapi.dll'
        - '\dwmcore.dll'
        - '\dwrite.dll'
        - '\dxcore.dll'
        - '\dxgi.dll'
        - '\dxva2.dll'
        - '\dynamoapi.dll'
        - '\eappcfg.dll'
        - '\eappprxy.dll'
        - '\edgeiso.dll'
        - '\edputil.dll'
        - '\efsadu.dll'
        - '\efsutil.dll'
        - '\esent.dll'
        - '\execmodelproxy.dll'
        - '\explorerframe.dll'
        - '\fastprox.dll'
        - '\faultrep.dll'
        - '\fddevquery.dll'
        - '\feclient.dll'
        - '\fhcfg.dll'
        - '\fhsvcctl.dll'
        - '\firewallapi.dll'
        - '\flightsettings.dll'
        - '\fltlib.dll'
        - '\framedynos.dll'
        - '\fveapi.dll'
        - '\fveskybackup.dll'
        - '\fvewiz.dll'
        - '\fwbase.dll'
        - '\fwcfg.dll'
        - '\fwpolicyiomgr.dll'
        - '\fwpuclnt.dll'
        - '\fxsapi.dll'
        - '\fxsst.dll'
        - '\fxstiff.dll'
        - '\getuname.dll'
        - '\gpapi.dll'
        - '\hid.dll'
        - '\hnetmon.dll'
        - '\httpapi.dll'
        - '\icmp.dll'
        - '\idstore.dll'
        - '\ieadvpack.dll'
        - '\iedkcs32.dll'
        - '\iernonce.dll'
        - '\iertutil.dll'
        - '\ifmon.dll'
        - '\ifsutil.dll'
        - '\inproclogger.dll'
        - '\iphlpapi.dll'
        - '\iri.dll'
        - '\iscsidsc.dll'
        - '\iscsium.dll'
        - '\isv.exe_rsaenh.dll'
        - '\iumbase.dll'
        - '\iumsdk.dll'
        - '\joinutil.dll'
        - '\kdstub.dll'
        - '\ksuser.dll'
        - '\ktmw32.dll'
        - '\licensemanagerapi.dll'
        - '\licensingdiagspp.dll'
        - '\linkinfo.dll'
        - '\loadperf.dll'
        - '\lockhostingframework.dll'
        - '\logoncli.dll'
        - '\logoncontroller.dll'
        - '\lpksetupproxyserv.dll'
        - '\lrwizdll.dll'
        - '\magnification.dll'
        - '\maintenanceui.dll'
        - '\mapistub.dll'
        - '\mbaexmlparser.dll'
        - '\mdmdiagnostics.dll'
        - '\mfc42u.dll'
        - '\mfcore.dll'
        - '\mfplat.dll'
        - '\mi.dll'
        - '\midimap.dll'
        - '\mintdh.dll'
        - '\miutils.dll'
        - '\mlang.dll'
        - '\mmdevapi.dll'
        - '\mobilenetworking.dll'
        - '\mpr.dll'
        - '\mprapi.dll'
        - '\mrmcorer.dll'
        - '\msacm32.dll'
        - '\mscms.dll'
        - '\mscoree.dll'
        - '\msctf.dll'
        - '\msctfmonitor.dll'
        - '\msdrm.dll'
        - '\msdtctm.dll'
        - '\msftedit.dll'
        - '\msi.dll'
        - '\msiso.dll'
        - '\msutb.dll'
        - '\msvcp110_win.dll'
        - '\mswb7.dll'
        - '\mswsock.dll'
        - '\msxml3.dll'
        - '\mtxclu.dll'
        - '\napinsp.dll'
        - '\ncrypt.dll'
        - '\ndfapi.dll'
        - '\netapi32.dll'
        - '\netid.dll'
        - '\netiohlp.dll'
        - '\netjoin.dll'
        - '\netplwiz.dll'
        - '\netprofm.dll'
        - '\netprovfw.dll'
        - '\netsetupapi.dll'
        - '\netshell.dll'
        - '\nettrace.dll'
        - '\netutils.dll'
        - '\networkexplorer.dll'
        - '\newdev.dll'
        - '\ninput.dll'
        - '\nlaapi.dll'
        - '\nlansp_c.dll'
        - '\npmproxy.dll'
        - '\nshhttp.dll'
        - '\nshipsec.dll'
        - '\nshwfp.dll'
        - '\ntdsapi.dll'
        - '\ntlanman.dll'
        - '\ntlmshared.dll'
        - '\ntmarta.dll'
        - '\ntshrui.dll'
        - '\oleacc.dll'
        - '\omadmapi.dll'
        - '\onex.dll'
        - '\opcservices.dll'
        - '\osbaseln.dll'
        - '\osksupport.dll'
        - '\osuninst.dll'
        - '\p2p.dll'
        - '\p2pnetsh.dll'
        - '\p9np.dll'
        - '\pcaui.dll'
        - '\pdh.dll'
        - '\peerdistsh.dll'
        - '\pkeyhelper.dll'
        - '\pla.dll'
        - '\playsndsrv.dll'
        - '\pnrpnsp.dll'
        - '\policymanager.dll'
        - '\polstore.dll'
        - '\powrprof.dll'
        - '\printui.dll'
        - '\prntvpt.dll'
        - '\profapi.dll'
        - '\propsys.dll'
        - '\proximitycommon.dll'
        - '\proximityservicepal.dll'
        - '\prvdmofcomp.dll'
        - '\puiapi.dll'
        - '\radcui.dll'
        - '\rasapi32.dll'
        - '\rasdlg.dll'
        - '\rasgcw.dll'
        - '\rasman.dll'
        - '\rasmontr.dll'
        - '\reagent.dll'
        - '\regapi.dll'
        - '\reseteng.dll'
        - '\resetengine.dll'
        - '\resutils.dll'
        - '\rmclient.dll'
        - '\rpcnsh.dll'
        - '\rsaenh.dll'
        - '\rtutils.dll'
        - '\rtworkq.dll'
        - '\samcli.dll'
        - '\samlib.dll'
        - '\sapi_onecore.dll'
        - '\sas.dll'
        - '\scansetting.dll'
        - '\scecli.dll'
        - '\schedcli.dll'
        - '\secur32.dll'
        - '\security.dll'
        - '\sensapi.dll'
        - '\shell32.dll'
        - '\shfolder.dll'
        - '\slc.dll'
        - '\snmpapi.dll'
        - '\spectrumsyncclient.dll'
        - '\spp.dll'
        - '\sppc.dll'
        - '\sppcext.dll'
        - '\srclient.dll'
        - '\srcore.dll'
        - '\srmtrace.dll'
        - '\srpapi.dll'
        - '\srvcli.dll'
        - '\ssp_isv.exe_rsaenh.dll'
        - '\ssp.exe_rsaenh.dll'
        - '\sspicli.dll'
        - '\ssshim.dll'
        - '\staterepository.core.dll'
        - '\structuredquery.dll'
        - '\sxshared.dll'
        - '\systemsettingsthresholdadminflowui.dll'
        - '\tapi32.dll'
        - '\tbs.dll'
        - '\tdh.dll'
        - '\textshaping.dll'
        - '\timesync.dll'
        - '\tpmcoreprovisioning.dll'
        - '\tquery.dll'
        - '\tsworkspace.dll'
        - '\ttdrecord.dll'
        - '\twext.dll'
        - '\twinapi.dll'
        - '\twinui.appcore.dll'
        - '\uianimation.dll'
        - '\uiautomationcore.dll'
        - '\uireng.dll'
        - '\uiribbon.dll'
        - '\umpdc.dll'
        - '\unattend.dll'
        - '\updatepolicy.dll'
        - '\upshared.dll'
        - '\urlmon.dll'
        - '\userenv.dll'
        - '\utildll.dll'
        - '\uxinit.dll'
        - '\uxtheme.dll'
        - '\vaultcli.dll'
        - '\vdsutil.dll'
        - '\version.dll'
        - '\virtdisk.dll'
        - '\vssapi.dll'
        - '\vsstrace.dll'
        - '\wbemprox.dll'
        - '\wbemsvc.dll'
        - '\wcmapi.dll'
        - '\wcnnetsh.dll'
        - '\wdi.dll'
        - '\wdscore.dll'
        - '\webservices.dll'
        - '\wecapi.dll'
        - '\wer.dll'
        - '\wevtapi.dll'
        - '\whhelper.dll'
        - '\wimgapi.dll'
        - '\winbio.dll'
        - '\winbrand.dll'
        - '\windows.storage.dll'
        - '\windows.storage.search.dll'
        - '\windows.ui.immersive.dll'
        - '\windowscodecs.dll'
        - '\windowscodecsext.dll'
        - '\windowsudk.shellcommon.dll'
        - '\winhttp.dll'
        - '\wininet.dll'
        - '\winipsec.dll'
        - '\winmde.dll'
        - '\winmm.dll'
        - '\winnsi.dll'
        - '\winrnr.dll'
        - '\winscard.dll'
        - '\winsqlite3.dll'
        - '\winsta.dll'
        - '\winsync.dll'
        - '\wkscli.dll'
        - '\wlanapi.dll'
        - '\wlancfg.dll'
        - '\wldp.dll'
        - '\wlidprov.dll'
        - '\wmiclnt.dll'
        - '\wmidcom.dll'
        - '\wmiutils.dll'
        - '\wmpdui.dll'
        - '\wmsgapi.dll'
        - '\wofutil.dll'
        - '\wpdshext.dll'
        - '\wscapi.dll'
        - '\wsdapi.dll'
        - '\wshbth.dll'
        - '\wshelper.dll'
        - '\wsmsvc.dll'
        - '\wtsapi32.dll'
        - '\wwancfg.dll'
        - '\wwapi.dll'
        - '\xmllite.dll'
        - '\xolehlp.dll'
        - '\xpsservices.dll'
        - '\xwizards.dll'
        - '\xwtpw32.dll'
        - '\amsi.dll'
        - '\appraiser.dll'
        - '\COMRES.DLL'
        - '\cryptnet.dll'
        - '\DispBroker.dll'
        - '\dsound.dll'
        - '\dxilconv.dll'
        - '\FxsCompose.dll'
        - '\FXSRESM.DLL'
        - '\msdtcVSp1res.dll'
        - '\PrintIsolationProxy.dll'
        - '\rdpendp.dll'
        - '\rpchttp.dll'
        - '\storageusage.dll'
        - '\utcutil.dll'
        - '\WfsR.dll'
        - '\igd10iumd64.dll'
        - '\igd12umd64.dll'
        - '\igdumdim64.dll'
        - '\igdusc64.dll'
        - '\TSMSISrv.dll'
        - '\TSVIPSrv.dll'
        - '\wbemcomn.dll'
        - '\WLBSCTRL.dll'
        - '\wow64log.dll'
        - '\WptsExtensions.dll'

Stage 2: `not filter_main_*`

filter_main_generic:
    ImageLoaded|contains:
        - 'C:\$WINDOWS.~BT\'
        - 'C:\$WinREAgent\'
        - 'C:\Windows\SoftwareDistribution\'
        - 'C:\Windows\System32\'
        - 'C:\Windows\SystemTemp\'
        - 'C:\Windows\SysWOW64\'
        - 'C:\Windows\WinSxS\'
        - 'C:\Windows\SyChpe32\'
filter_main_windows_temp:
    ImageLoaded|startswith: 'C:\Windows\Temp\'
    Image|startswith:
        - 'C:\Windows\WinSxS\arm64'
        - 'C:\Windows\UUS\arm64\'
    Image|endswith:
        - '\TiWorker.exe'
        - '\wuaucltcore.exe'
filter_main_dot_net:
    ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
    ImageLoaded|endswith: '\cscui.dll'
filter_main_defender:
    ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
    ImageLoaded|endswith: '\version.dll'
filter_main_directx:
    ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
    ImageLoaded|endswith: '\d3dx9_43.dll'

Stage 3: `not filter_optional_*`

filter_optional_exchange:
    ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
    ImageLoaded|endswith: '\mswb7.dll'
filter_optional_arsenal_image_mounter:
    ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
    ImageLoaded|endswith:
        - '\mi.dll'
        - '\miutils.dl'
filter_optional_office_appvpolicy:
    Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
    ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
filter_optional_azure:
    ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_optional_dell:
    Image|contains:
        - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
        - 'C:\Windows\System32\backgroundTaskHost.exe'
    ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
filter_optional_dell_wldp:
    Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
    Image|endswith: '\wldp.dll'
filter_optional_checkpoint:
    Image|startswith:
        - 'C:\Program Files\CheckPoint\'
        - 'C:\Program Files (x86)\CheckPoint\'
    Image|endswith: '\SmartConsole.exe'
    ImageLoaded|startswith:
        - 'C:\Program Files\CheckPoint\'
        - 'C:\Program Files (x86)\CheckPoint\'
    ImageLoaded|endswith: '\PolicyManager.dll'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`Image`	ends_with	`\TiWorker.exe`
`Image`	ends_with	`\wuaucltcore.exe`
`Image`	starts_with	`C:\Windows\UUS\arm64\`
`Image`	starts_with	`C:\Windows\WinSxS\arm64`
`ImageLoaded`	starts_with	`C:\Windows\Temp\`
`ImageLoaded`	ends_with	`\cscui.dll`
`ImageLoaded`	starts_with	`C:\Windows\Microsoft.NET\`
`ImageLoaded`	ends_with	`\d3dx9_43.dll`
`ImageLoaded`	starts_with	`C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_`
`ImageLoaded`	ends_with	`\version.dll`
`ImageLoaded`	starts_with	`C:\ProgramData\Microsoft\Windows Defender\Platform\`
`ImageLoaded`	match	`C:\$WINDOWS.~BT\`
`ImageLoaded`	match	`C:\$WinREAgent\`
`ImageLoaded`	match	`C:\Windows\SoftwareDistribution\`
`ImageLoaded`	match	`C:\Windows\SyChpe32\`
`ImageLoaded`	match	`C:\Windows\SysWOW64\`
`ImageLoaded`	match	`C:\Windows\System32\`
`ImageLoaded`	match	`C:\Windows\SystemTemp\`
`ImageLoaded`	match	`C:\Windows\WinSxS\`
`Image`	match	`C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs`
`Image`	match	`C:\Windows\System32\backgroundTaskHost.exe`
`ImageLoaded`	starts_with	`C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs`
`Image`	starts_with	`C:\Program Files (x86)\CheckPoint\`
`Image`	starts_with	`C:\Program Files\CheckPoint\`
`ImageLoaded`	starts_with	`C:\Program Files (x86)\CheckPoint\`
`ImageLoaded`	starts_with	`C:\Program Files\CheckPoint\`
`Image`	ends_with	`\SmartConsole.exe`
`ImageLoaded`	ends_with	`\PolicyManager.dll`
`ImageLoaded`	ends_with	`\mi.dll`
`ImageLoaded`	ends_with	`\miutils.dl`
`ImageLoaded`	starts_with	`C:\Program Files\Arsenal-Image-Mounter-`
`Image`	ends_with	`\wldp.dll`
`Image`	starts_with	`C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs`
`Image`	eq	`C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe`
`ImageLoaded`	eq	`C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll`
`ImageLoaded`	ends_with	`\mswb7.dll`
`ImageLoaded`	starts_with	`C:\Program Files\Microsoft\Exchange Server\`
`ImageLoaded`	starts_with	`C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ImageLoaded`	ends_with	`\COMRES.DLL` `\DispBroker.dll` `\FXSRESM.DLL` `\FxsCompose.dll` `\PrintIsolationProxy.dll` `\TSMSISrv.dll` `\TSVIPSrv.dll` `\WLBSCTRL.dll` `\WfsR.dll` `\WptsExtensions.dll` `\aclui.dll` corpus 2 (sigma 2) `\activeds.dll` `\adsldpc.dll` `\aepic.dll` `\amsi.dll` corpus 3 (sigma 3) `\apphelp.dll` `\applicationframe.dll` `\appraiser.dll` `\appvpolicy.dll` `\appxalluserstore.dll` `\appxdeploymentclient.dll` `\archiveint.dll` `\atl.dll` `\audioses.dll` `\auditpolcore.dll` `\authfwcfg.dll` `\authz.dll` `\avrt.dll` `\batmeter.dll` `\bcd.dll` `\bcp47langs.dll` `\bcp47mrm.dll` `\bcrypt.dll` `\bderepair.dll` `\bootmenuux.dll` `\bootux.dll` `\cabinet.dll` `\cabview.dll` `\certcli.dll` `\certenroll.dll` `\cfgmgr32.dll` `\cldapi.dll` `\clipc.dll` `\clusapi.dll` `\cmpbk32.dll` `\cmutil.dll` `\coloradapterclient.dll` `\colorui.dll` `\comdlg32.dll` `\configmanager2.dll` `\connect.dll` `\coredplus.dll` `\coremessaging.dll` `\coreuicomponents.dll` `\credui.dll` corpus 2 (sigma 2) `\cryptbase.dll` corpus 2 (sigma 2) `\cryptdll.dll` `\cryptnet.dll` `\cryptsp.dll` corpus 2 (sigma 2) `\cryptui.dll` `\cryptxml.dll` `\cscapi.dll` `\cscobj.dll` `\cscui.dll` `\d2d1.dll` `\d3d10.dll` `\d3d10_1.dll` `\d3d10_1core.dll` `\d3d10core.dll` `\d3d10warp.dll` `\d3d11.dll` `\d3d12.dll` `\d3d9.dll` `\d3dx9_43.dll` `\dataexchange.dll` `\davclnt.dll` `\dcntel.dll` `\dcomp.dll` `\defragproxy.dll` `\desktopshellext.dll` `\deviceassociation.dll` `\devicecredential.dll` `\devicepairing.dll` `\devobj.dll` `\devrtl.dll` `\dhcpcmonitor.dll` `\dhcpcsvc.dll` `\dhcpcsvc6.dll` `\directmanipulation.dll` `\dismapi.dll` `\dismcore.dll` corpus 2 (sigma 2) `\dmcfgutils.dll` `\dmcmnutils.dll` `\dmcommandlineutils.dll` `\dmenrollengine.dll` `\dmenterprisediagnostics.dll` `\dmiso8601utils.dll` `\dmoleaututils.dll` `\dmprocessxmlfiltered.dll` `\dmpushproxy.dll` `\dmxmlhelputils.dll` `\dnsapi.dll` `\dot3api.dll` `\dot3cfg.dll` `\dpx.dll` `\drprov.dll` `\drvstore.dll` `\dsclient.dll` `\dsound.dll` `\dsparse.dll` `\dsprop.dll` `\dsreg.dll` `\dsrole.dll` `\dui70.dll` `\duser.dll` `\dusmapi.dll` `\dwmapi.dll` `\dwmcore.dll` `\dwrite.dll` `\dxcore.dll` `\dxgi.dll` `\dxilconv.dll` `\dxva2.dll` `\dynamoapi.dll` `\eappcfg.dll` `\eappprxy.dll` `\edgeiso.dll` `\edputil.dll` corpus 2 (sigma 2) `\efsadu.dll` `\efsutil.dll` `\esent.dll` `\execmodelproxy.dll` `\explorerframe.dll` `\fastprox.dll` corpus 3 (sigma 3) `\faultrep.dll` `\fddevquery.dll` `\feclient.dll` `\fhcfg.dll` `\fhsvcctl.dll` `\firewallapi.dll` `\flightsettings.dll` `\fltlib.dll` `\framedynos.dll` `\fveapi.dll` `\fveskybackup.dll` `\fvewiz.dll` `\fwbase.dll` `\fwcfg.dll` `\fwpolicyiomgr.dll` `\fwpuclnt.dll` `\fxsapi.dll` `\fxsst.dll` `\fxstiff.dll` `\getuname.dll` `\gpapi.dll` `\hid.dll` `\hnetmon.dll` `\httpapi.dll` `\icmp.dll` `\idstore.dll` `\ieadvpack.dll` `\iedkcs32.dll` `\iernonce.dll` `\iertutil.dll` `\ifmon.dll` `\ifsutil.dll` `\igd10iumd64.dll` `\igd12umd64.dll` `\igdumdim64.dll` `\igdusc64.dll` `\inproclogger.dll` `\iphlpapi.dll` corpus 2 (sigma 2) `\iri.dll` `\iscsidsc.dll` `\iscsium.dll` `\isv.exe_rsaenh.dll` `\iumbase.dll` `\iumsdk.dll` `\joinutil.dll` `\kdstub.dll` `\ksuser.dll` `\ktmw32.dll` `\licensemanagerapi.dll` `\licensingdiagspp.dll` `\linkinfo.dll` `\loadperf.dll` `\lockhostingframework.dll` `\logoncli.dll` `\logoncontroller.dll` `\lpksetupproxyserv.dll` `\lrwizdll.dll` `\magnification.dll` `\maintenanceui.dll` `\mapistub.dll` `\mbaexmlparser.dll` `\mdmdiagnostics.dll` `\mfc42u.dll` `\mfcore.dll` `\mfplat.dll` `\mi.dll` `\midimap.dll` `\mintdh.dll` `\miutils.dll` `\mlang.dll` `\mmdevapi.dll` `\mobilenetworking.dll` `\mpr.dll` `\mprapi.dll` `\mrmcorer.dll` `\msacm32.dll` `\mscms.dll` `\mscoree.dll` corpus 2 (sigma 2) `\msctf.dll` `\msctfmonitor.dll` `\msdrm.dll` `\msdtcVSp1res.dll` `\msdtctm.dll` `\msftedit.dll` `\msi.dll` `\msiso.dll` `\msutb.dll` `\msvcp110_win.dll` `\mswb7.dll` `\mswsock.dll` `\msxml3.dll` `\mtxclu.dll` `\napinsp.dll` `\ncrypt.dll` `\ndfapi.dll` `\netapi32.dll` `\netid.dll` `\netiohlp.dll` `\netjoin.dll` `\netplwiz.dll` `\netprofm.dll` `\netprovfw.dll` `\netsetupapi.dll` `\netshell.dll` `\nettrace.dll` `\netutils.dll` `\networkexplorer.dll` `\newdev.dll` `\ninput.dll` `\nlaapi.dll` `\nlansp_c.dll` `\npmproxy.dll` `\nshhttp.dll` `\nshipsec.dll` `\nshwfp.dll` `\ntdsapi.dll` `\ntlanman.dll` `\ntlmshared.dll` `\ntmarta.dll` `\ntshrui.dll` `\oleacc.dll` `\omadmapi.dll` `\onex.dll` `\opcservices.dll` `\osbaseln.dll` `\osksupport.dll` `\osuninst.dll` `\p2p.dll` `\p2pnetsh.dll` `\p9np.dll` `\pcaui.dll` `\pdh.dll` `\peerdistsh.dll` `\pkeyhelper.dll` `\pla.dll` `\playsndsrv.dll` `\pnrpnsp.dll` `\policymanager.dll` `\polstore.dll` `\powrprof.dll` `\printui.dll` `\prntvpt.dll` `\profapi.dll` corpus 2 (sigma 2) `\propsys.dll` `\proximitycommon.dll` `\proximityservicepal.dll` `\prvdmofcomp.dll` `\puiapi.dll` `\radcui.dll` `\rasapi32.dll` `\rasdlg.dll` `\rasgcw.dll` `\rasman.dll` `\rasmontr.dll` `\rdpendp.dll` `\reagent.dll` `\regapi.dll` `\reseteng.dll` `\resetengine.dll` `\resutils.dll` `\rmclient.dll` `\rpchttp.dll` `\rpcnsh.dll` `\rsaenh.dll` `\rtutils.dll` `\rtworkq.dll` `\samcli.dll` `\samlib.dll` `\sapi_onecore.dll` `\sas.dll` `\scansetting.dll` `\scecli.dll` `\schedcli.dll` `\secur32.dll` `\security.dll` `\sensapi.dll` `\shell32.dll` `\shfolder.dll` `\slc.dll` `\snmpapi.dll` `\spectrumsyncclient.dll` `\spp.dll` `\sppc.dll` `\sppcext.dll` `\srclient.dll` `\srcore.dll` `\srmtrace.dll` `\srpapi.dll` `\srvcli.dll` `\ssp.exe_rsaenh.dll` `\ssp_isv.exe_rsaenh.dll` `\sspicli.dll` corpus 2 (sigma 2) `\ssshim.dll` `\staterepository.core.dll` `\storageusage.dll` `\structuredquery.dll` `\sxshared.dll` `\systemsettingsthresholdadminflowui.dll` `\tapi32.dll` `\tbs.dll` `\tdh.dll` `\textshaping.dll` `\timesync.dll` `\tpmcoreprovisioning.dll` `\tquery.dll` `\tsworkspace.dll` `\ttdrecord.dll` corpus 2 (sigma 2) `\twext.dll` `\twinapi.dll` `\twinui.appcore.dll` `\uianimation.dll` `\uiautomationcore.dll` `\uireng.dll` `\uiribbon.dll` `\umpdc.dll` `\unattend.dll` `\updatepolicy.dll` `\upshared.dll` `\urlmon.dll` `\userenv.dll` `\utcutil.dll` `\utildll.dll` `\uxinit.dll` `\uxtheme.dll` `\vaultcli.dll` `\vdsutil.dll` `\version.dll` corpus 2 (sigma 2) `\virtdisk.dll` `\vssapi.dll` corpus 2 (sigma 2) `\vsstrace.dll` corpus 2 (sigma 2) `\wbemcomn.dll` corpus 3 (sigma 3) `\wbemprox.dll` corpus 2 (sigma 2) `\wbemsvc.dll` corpus 3 (sigma 3) `\wcmapi.dll` `\wcnnetsh.dll` `\wdi.dll` `\wdscore.dll` `\webservices.dll` `\wecapi.dll` `\wer.dll` `\wevtapi.dll` `\whhelper.dll` `\wimgapi.dll` `\winbio.dll` `\winbrand.dll` `\windows.storage.dll` `\windows.storage.search.dll` `\windows.ui.immersive.dll` `\windowscodecs.dll` `\windowscodecsext.dll` `\windowsudk.shellcommon.dll` `\winhttp.dll` `\wininet.dll` corpus 2 (sigma 2) `\winipsec.dll` `\winmde.dll` `\winmm.dll` `\winnsi.dll` `\winrnr.dll` `\winscard.dll` `\winsqlite3.dll` `\winsta.dll` corpus 2 (sigma 2) `\winsync.dll` `\wkscli.dll` `\wlanapi.dll` `\wlancfg.dll` `\wldp.dll` corpus 2 (sigma 2) `\wlidprov.dll` `\wmiclnt.dll` corpus 3 (sigma 3) `\wmidcom.dll` `\wmiutils.dll` corpus 3 (sigma 3) `\wmpdui.dll` `\wmsgapi.dll` `\wofutil.dll` `\wow64log.dll` `\wpdshext.dll` `\wscapi.dll` `\wsdapi.dll` `\wshbth.dll` `\wshelper.dll` `\wsmsvc.dll` corpus 2 (sigma 2) `\wtsapi32.dll` corpus 2 (sigma 2) `\wwancfg.dll` `\wwapi.dll` `\xmllite.dll` `\xolehlp.dll` `\xpsservices.dll` `\xwizards.dll` `\xwtpw32.dll`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Potential System DLL Sideloading From Non System Locations

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection`

Stage 2: `not filter_main_*`

Stage 3: `not filter_optional_*`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Potential System DLL Sideloading From Non System Locations

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection

Stage 2: not filter_main_*

Stage 3: not filter_optional_*

Exclusions

Indicators

Stage 0: `condition`

Stage 1: `selection`

Stage 2: `not filter_main_*`

Stage 3: `not filter_optional_*`