--- | replace: "\*","\\\\*"title: Possible preparation for acrodistdll.dll DLL Hijacking id: 8335212b-4774-48a3-6608-5b9ff8433675 status: experimental description: Detects possible DLL hijacking of acrodistdll.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/adobe/acrodistdll.html author: "Pokhlebin Maxim" date: 2023-06-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\acrodistdll.dll' filter: TargetFileName: - 'c:\program files\Adobe\Acrobat *\Acrobat\\*' - 'c:\program files (x86)\Adobe\Acrobat *\Acrobat\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for sqlite.dll DLL Hijacking id: 5954582b-9569-48a3-1936-5b9ff8143933 status: experimental description: Detects possible DLL hijacking of sqlite.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/adobe/sqlite.html author: "Jai Minton - HuntressLabs" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\sqlite.dll' filter: TargetFileName: - 'c:\program files\Adobe\Acrobat Reader DC\Reader\\*' - 'c:\program files (x86)\Adobe\Acrobat Reader DC\Reader\\*' - 'c:\program files\Adobe\Acrobat DC\Acrobat\\*' - 'c:\program files (x86)\Adobe\Acrobat DC\Acrobat\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vcomp100.dll DLL Hijacking id: 8078552b-1386-48a3-5209-5b9ff8188274 status: experimental description: Detects possible DLL hijacking of vcomp100.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/adobe/vcomp100.html author: "Jai Minton - HuntressLabs" date: 2024-07-09 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vcomp100.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cc32290mt.dll DLL Hijacking id: 8854762b-9003-48a3-1016-5b9ff8749285 status: experimental description: Detects possible DLL hijacking of cc32290mt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/ahnenblatt/cc32290mt.html author: "Josh Allman" date: 2025-02-25 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cc32290mt.dll' filter: TargetFileName: - 'c:\program files\Ahnenblatt4\Ahnenblatt4.exe\\*' - 'c:\program files (x86)\Ahnenblatt4\Ahnenblatt4.exe\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for amindpdfcore.dll DLL Hijacking id: 5350482b-6363-48a3-2268-5b9ff8814206 status: experimental description: Detects possible DLL hijacking of amindpdfcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/amindpdf/amindpdfcore.html author: "Still Hsu" date: 2024-05-26 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\amindpdfcore.dll' filter: TargetFileName: - 'c:\program files\GeekerPDF\GeekerPDF\\*' - 'c:\program files (x86)\GeekerPDF\GeekerPDF\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for avdevice-54.dll DLL Hijacking id: 1624172b-6171-48a3-7472-5b9ff8676420 status: experimental description: Detects possible DLL hijacking of avdevice-54.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/anymp4/avdevice-54.html author: "Jai Minton - HuntressLabs" date: 2024-05-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\avdevice-54.dll' filter: TargetFileName: - 'c:\program files\AnyMP4 Studio\AnyMP4 Blu-ray Creator\\*' - 'c:\program files (x86)\AnyMP4 Studio\AnyMP4 Blu-ray Creator\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for duilib_u.dll DLL Hijacking id: 5096712b-7808-48a3-6638-5b9ff8715589 status: experimental description: Detects possible DLL hijacking of duilib_u.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/anyviewer/duilib_u.html author: "Jose Oregon" date: 2025-04-29 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\duilib_u.dll' filter: TargetFileName: - 'c:\program files\AnyViewer\\*' - 'c:\program files (x86)\AnyViewer\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for comn.dll DLL Hijacking id: 9600522b-8101-48a3-6493-5b9ff8589893 status: experimental description: Detects possible DLL hijacking of comn.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/aomei/comn.html author: "Still Hsu" date: 2025-12-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\comn.dll' filter: TargetFileName: - 'c:\program files\AOMEI\AOMEI Backupper\\*\\*' - 'c:\program files (x86)\AOMEI\AOMEI Backupper\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for corefoundation.dll DLL Hijacking id: 2984082b-7750-48a3-4174-5b9ff8664569 status: experimental description: Detects possible DLL hijacking of corefoundation.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/apple/corefoundation.html author: "Matt Anderson - HuntressLabs" date: 2024-04-13 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\corefoundation.dll' filter: TargetFileName: - 'c:\program files\Common Files\Apple\Apple Application Support\\*' - 'c:\program files (x86)\Common Files\Apple\Apple Application Support\\*' - 'c:\program files\iTunes\\*' - 'c:\program files (x86)\iTunes\\*' - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for asio.dll DLL Hijacking id: 9960552b-9521-48a3-3514-5b9ff8250192 status: experimental description: Detects possible DLL hijacking of asio.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/asus/asio.html author: "Jai Minton - HuntressLabs" date: 2024-04-10 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\asio.dll' filter: TargetFileName: - 'c:\program files\ASUS\AXSP\\*\\*' - 'c:\program files (x86)\ASUS\AXSP\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for asus_wmi.dll DLL Hijacking id: 9261902b-9521-48a3-3514-5b9ff8164788 status: experimental description: Detects possible DLL hijacking of asus_wmi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/asus/asus_wmi.html author: "Jai Minton - HuntressLabs" date: 2024-04-10 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\asus_wmi.dll' filter: TargetFileName: - 'c:\program files\ASUS\AXSP\\*\\*' - 'c:\program files (x86)\ASUS\AXSP\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vender.dll DLL Hijacking id: 9481842b-4150-48a3-8413-5b9ff8267972 status: experimental description: Detects possible DLL hijacking of vender.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/asus/vender.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vender.dll' filter: TargetFileName: - 'c:\program files\ASUS\GPU TweakII\\*' - 'c:\program files (x86)\ASUS\GPU TweakII\\*' - 'c:\program files\ASUS\VGA COM\\*\\*' - 'c:\program files (x86)\ASUS\VGA COM\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dal_keepalives.dll DLL Hijacking id: 3880462b-8907-48a3-9464-5b9ff8429562 status: experimental description: Detects possible DLL hijacking of dal_keepalives.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/audinate/dal_keepalives.html author: "Wietze Beukema" date: 2025-02-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dal_keepalives.dll' filter: TargetFileName: - 'c:\program files\audinate\shared files\\*' - 'c:\program files (x86)\audinate\shared files\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wsc.dll DLL Hijacking id: 2764372b-9122-48a3-7130-5b9ff8861115 status: experimental description: Detects possible DLL hijacking of wsc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/avast/wsc.html author: "Matt Green" date: 2022-08-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wsc.dll' filter: TargetFileName: - 'c:\program files\AVAST Software\Avast\\*' - 'c:\program files (x86)\AVAST Software\Avast\\*' - 'c:\program files\Norton\Suite\\*' - 'c:\program files (x86)\Norton\Suite\\*' - 'c:\program files\AVG\Antivirus\\*' - 'c:\program files (x86)\AVG\Antivirus\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for basicnetutils.dll DLL Hijacking id: 8230312b-8028-48a3-7945-5b9ff8500209 status: experimental description: Detects possible DLL hijacking of basicnetutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/baidu/basicnetutils.html author: "Wietze Beukema" date: 2023-05-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\basicnetutils.dll' filter: TargetFileName: - 'c:\users\\*\appdata\local\Temp\\*\Application2\\*' - 'c:\program files\BAIDU\BAIDUPINYIN\\*\\*' - 'c:\program files (x86)\BAIDU\BAIDUPINYIN\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for log.dll DLL Hijacking id: 9451182b-1318-48a3-1317-5b9ff8166908 status: experimental description: Detects possible DLL hijacking of log.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/bitdefender/log.html author: "Wietze Beukema" date: 2022-06-13 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\log.dll' filter: TargetFileName: - 'c:\program files\Bitdefender Antivirus Free\\*' - 'c:\program files (x86)\Bitdefender Antivirus Free\\*' - 'c:\program files\Bitdefender Agent\\*\\*' - 'c:\program files (x86)\Bitdefender Agent\\*\\*' - 'c:\program files\Bitdefender Agent\\*\x64\\*' - 'c:\program files (x86)\Bitdefender Agent\\*\x64\\*' - 'c:\program files\Bitdefender\Bitdefender Security\\*' - 'c:\program files (x86)\Bitdefender\Bitdefender Security\\*' - 'c:\program files\Bitdefender\Bitdefender Security App\\*' - 'c:\program files (x86)\Bitdefender\Bitdefender Security App\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for bugsplat64.dll DLL Hijacking id: 9968902b-1823-48a3-3698-5b9ff8332489 status: experimental description: Detects possible DLL hijacking of bugsplat64.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/bugsplat/bugsplat64.html author: "Swachchhanda Shrawan Poudel" date: 2025-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\bugsplat64.dll' filter: TargetFileName: - 'c:\program files\Nitro\PDF Pro\\\*' - 'c:\program files (x86)\Nitro\PDF Pro\\\*' - 'c:\program files\Nitro\Pro\\*' - 'c:\program files (x86)\Nitro\Pro\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libcares-2.dll DLL Hijacking id: 3059582b-8917-48a3-7724-5b9ff8430517 status: experimental description: Detects possible DLL hijacking of libcares-2.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/c-ares/libcares-2.html author: "Wietze Beukema" date: 2026-02-26 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libcares-2.dll' filter: TargetFileName: - 'c:\users\\*\appdata\local\GitKraken\app-*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for calibre-launcher.dll DLL Hijacking id: 1636202b-5264-48a3-2775-5b9ff8996636 status: experimental description: Detects possible DLL hijacking of calibre-launcher.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/calibre/calibre-launcher.html author: "Jai Minton - HuntressLabs" date: 2024-08-07 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\calibre-launcher.dll' filter: TargetFileName: - 'c:\program files\Calibre2\\*' - 'c:\program files (x86)\Calibre2\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cnmpaui.dll DLL Hijacking id: 6937482b-1876-48a3-1767-5b9ff8172694 status: experimental description: Detects possible DLL hijacking of cnmpaui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/canon/cnmpaui.html author: "Swachchhanda Shrawan Poudel" date: 2025-09-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cnmpaui.dll' filter: TargetFileName: - 'c:\program files\Canon\Canon IJ Printer Assistant Tool\\\*' - 'c:\program files (x86)\Canon\Canon IJ Printer Assistant Tool\\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for relay.dll DLL Hijacking id: 4509562b-2773-48a3-5383-5b9ff8502377 status: experimental description: Detects possible DLL hijacking of relay.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/canon/relay.html author: "Jai Minton - HuntressLabs" date: 2024-05-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\relay.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for avupdate.dll DLL Hijacking id: 8597762b-7136-48a3-7154-5b9ff8168353 status: experimental description: Detects possible DLL hijacking of avupdate.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/carbonblack/avupdate.html author: "Josh Allman" date: 2025-02-18 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\avupdate.dll' filter: TargetFileName: - 'c:\program files\Confer\scanner\upd.exe\\*' - 'c:\program files (x86)\Confer\scanner\upd.exe\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mfc140u.dll DLL Hijacking id: 3650592b-3546-48a3-3513-5b9ff8400652 status: experimental description: Detects possible DLL hijacking of mfc140u.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/checkmal/mfc140u.html author: "Jai Minton - HuntressLabs" date: 2025-02-19 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mfc140u.dll' filter: TargetFileName: - 'c:\program files\CheckMAL\AppCheck\\*' - 'c:\program files (x86)\CheckMAL\AppCheck\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ciscosparklauncher.dll DLL Hijacking id: 1830022b-6060-48a3-8680-5b9ff8293352 status: experimental description: Detects possible DLL hijacking of ciscosparklauncher.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/cisco/ciscosparklauncher.html author: "Sorina Ionescu" date: 2022-10-10 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ciscosparklauncher.dll' filter: TargetFileName: - 'c:\users\\*\appdata\local\CiscoSparkLauncher\\*' - 'c:\users\\*\appdata\local\Programs\Cisco Spark\\*' - 'c:\program files\Cisco Spark\\*' - 'c:\program files (x86)\Cisco Spark\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wcldll.dll DLL Hijacking id: 7641612b-9521-48a3-3514-5b9ff8984964 status: experimental description: Detects possible DLL hijacking of wcldll.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/cisco/wcldll.html author: "Jai Minton - HuntressLabs" date: 2024-04-10 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wcldll.dll' filter: TargetFileName: - 'c:\program files\Cisco Systems\Cisco Jabber\\*' - 'c:\program files (x86)\Cisco Systems\Cisco Jabber\\*' - 'c:\program files\Webex\Applications\\*' - 'c:\program files (x86)\Webex\Applications\\*' - 'c:\program files\Webex\Plugins\\*' - 'c:\program files (x86)\Webex\Plugins\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for classicexplorer32.dll DLL Hijacking id: 1270152b-4774-48a3-6608-5b9ff8770283 status: experimental description: Detects possible DLL hijacking of classicexplorer32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/classicshell/classicexplorer32.html author: "Pokhlebin Maxim" date: 2023-06-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\classicexplorer32.dll' filter: TargetFileName: - 'c:\program files\Classic Shell\\*' - 'c:\program files (x86)\Classic Shell\\*' - 'c:\program files\Open-Shell\\*' - 'c:\program files (x86)\Open-Shell\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libcurl.dll DLL Hijacking id: 5734982b-6363-48a3-2268-5b9ff8671828 status: experimental description: Detects possible DLL hijacking of libcurl.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/curl/libcurl.html author: "Still Hsu" date: 2024-05-26 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libcurl.dll' filter: TargetFileName: - 'c:\program files\Notepad++\updater\\*' - 'c:\program files (x86)\Notepad++\updater\\*' - 'c:\program files\WindowsApps\MSTeams_*\\*' - 'c:\program files (x86)\WindowsApps\MSTeams_*\\*' - 'c:\program files\Coolmuster\Coolmuster PDF Creator Pro\\*\Bin\\*' - 'c:\program files (x86)\Coolmuster\Coolmuster PDF Creator Pro\\*\Bin\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vftrace.dll DLL Hijacking id: 1895972b-7927-48a3-7311-5b9ff8937088 status: experimental description: Detects possible DLL hijacking of vftrace.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/cyberark/vftrace.html author: "Sorina Ionescu" date: 2022-10-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vftrace.dll' filter: TargetFileName: - 'c:\program files\CyberArk\Endpoint Privilege Manager\Agent\x32\\*' - 'c:\program files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\\*' - 'c:\program files\CyberArk\Endpoint Privilege Manager\Agent\x64\\*' - 'c:\program files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x64\\*' - 'c:\program files\CyberArk\Endpoint Privilege Manager\Agent\\*' - 'c:\program files (x86)\CyberArk\Endpoint Privilege Manager\Agent\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ci.dll DLL Hijacking id: 3188552b-6171-48a3-7472-5b9ff8356391 status: experimental description: Detects possible DLL hijacking of ci.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/digiarty/ci.html author: "Jai Minton - HuntressLabs" date: 2024-05-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ci.dll' filter: TargetFileName: - 'c:\program files\Digiarty\WinX Blu-ray Decrypter\\*' - 'c:\program files (x86)\Digiarty\WinX Blu-ray Decrypter\\*' - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for goopdate.dll DLL Hijacking id: 8106292b-1674-48a3-4587-5b9ff8794453 status: experimental description: Detects possible DLL hijacking of goopdate.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/dropbox/goopdate.html author: "Jai Minton - HuntressLabs" date: 2024-08-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\goopdate.dll' filter: TargetFileName: - 'c:\program files\Dropbox\Update\\*' - 'c:\program files (x86)\Dropbox\Update\\*' - 'c:\program files\Dropbox\Update\\*\\*' - 'c:\program files (x86)\Dropbox\Update\\*\\*' - 'c:\users\\*\appdata\local\DropboxUpdate\Update\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for eacore.dll DLL Hijacking id: 9683002b-8907-48a3-9464-5b9ff8957682 status: experimental description: Detects possible DLL hijacking of eacore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/electronicarts/eacore.html author: "Wietze Beukema" date: 2025-02-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\eacore.dll' filter: TargetFileName: - 'c:\program files\Electronic Arts\EA Desktop\EA Desktop\\*' - 'c:\program files (x86)\Electronic Arts\EA Desktop\EA Desktop\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for qrt.dll DLL Hijacking id: 9810162b-1318-48a3-1317-5b9ff8680524 status: experimental description: Detects possible DLL hijacking of qrt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/f-secure/qrt.html author: "Wietze Beukema" date: 2022-06-13 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\qrt.dll' filter: TargetFileName: - 'c:\program files\F-Secure\Anti-Virus\\*' - 'c:\program files (x86)\F-Secure\Anti-Virus\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fnp_act_installer.dll DLL Hijacking id: 8169622b-9569-48a3-1936-5b9ff8218064 status: experimental description: Detects possible DLL hijacking of fnp_act_installer.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/flexera/fnp_act_installer.html author: "Jai Minton - HuntressLabs" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fnp_act_installer.dll' filter: TargetFileName: - 'c:\program files\InstallShield\\*\System\\*' - 'c:\program files (x86)\InstallShield\\*\System\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for avkkid.dll DLL Hijacking id: 2869202b-8907-48a3-9464-5b9ff8599279 status: experimental description: Detects possible DLL hijacking of avkkid.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/gdata/avkkid.html author: "Wietze Beukema" date: 2025-02-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\avkkid.dll' filter: TargetFileName: - 'c:\program files\G DATA\TotalSecurity\avkkid\\*' - 'c:\program files (x86)\G DATA\TotalSecurity\avkkid\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ccleanerreactivator.dll DLL Hijacking id: 1706912b-4079-48a3-9089-5b9ff8649362 status: experimental description: Detects possible DLL hijacking of ccleanerreactivator.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/gendigital/ccleanerreactivator.html author: "Still Hsu" date: 2025-10-20 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ccleanerreactivator.dll' filter: TargetFileName: - 'c:\program files\CCleaner\\*' - 'c:\program files (x86)\CCleaner\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for badata_x64.dll DLL Hijacking id: 9713722b-9521-48a3-3514-5b9ff8143088 status: experimental description: Detects possible DLL hijacking of badata_x64.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/glorylogic/badata_x64.html author: "Jai Minton - HuntressLabs" date: 2024-04-10 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\badata_x64.dll' filter: TargetFileName: - 'c:\program files\True Burner\\*' - 'c:\program files (x86)\True Burner\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for chrome_frame_helper.dll DLL Hijacking id: 9361152b-6722-48a3-2305-5b9ff8772021 status: experimental description: Detects possible DLL hijacking of chrome_frame_helper.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html author: "Wietze Beukema" date: 2021-12-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\chrome_frame_helper.dll' filter: TargetFileName: - 'c:\users\\*\appdata\local\Google\Chrome\Application\\*' - 'c:\program files\Google\Chrome\Application\\*' - 'c:\program files (x86)\Google\Chrome\Application\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libcef.dll DLL Hijacking id: 6527072b-7750-48a3-4174-5b9ff8584870 status: experimental description: Detects possible DLL hijacking of libcef.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/google/libcef.html author: "Matt Anderson - HuntressLabs" date: 2024-04-13 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libcef.dll' filter: TargetFileName: - 'c:\program files\NVIDIA Corporation\NVIDIA GeForce Experience\\*' - 'c:\program files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iepdf32.dll DLL Hijacking id: 1171072b-1386-48a3-5209-5b9ff8410482 status: experimental description: Detects possible DLL hijacking of iepdf32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/handysoftware/iepdf32.html author: "Jai Minton - HuntressLabs" date: 2024-07-09 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iepdf32.dll' filter: TargetFileName: - 'c:\program files\Handy Viewer\\*' - 'c:\program files (x86)\Handy Viewer\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for hpcustpartui.dll DLL Hijacking id: 3589892b-8743-48a3-3543-5b9ff8444314 status: experimental description: Detects possible DLL hijacking of hpcustpartui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/hp/hpcustpartui.html author: "Christiaan Beek" date: 2023-01-10 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\hpcustpartui.dll' filter: TargetFileName: - 'c:\program files\HP\\*' - 'c:\program files (x86)\HP\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for hpqhvsei.dll DLL Hijacking id: 9170172b-1995-48a3-3467-5b9ff8750947 status: experimental description: Detects possible DLL hijacking of hpqhvsei.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/hp/hpqhvsei.html author: "Wietze Beukema" date: 2023-02-26 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\hpqhvsei.dll' filter: TargetFileName: - 'c:\program files\HP\\*' - 'c:\program files (x86)\HP\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for liteskinutils.dll DLL Hijacking id: 5867312b-6171-48a3-7472-5b9ff8121024 status: experimental description: Detects possible DLL hijacking of liteskinutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/icq/liteskinutils.html author: "Jai Minton - HuntressLabs" date: 2024-05-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\liteskinutils.dll' filter: TargetFileName: - 'c:\program files\ICQLite\\*' - 'c:\program files (x86)\ICQLite\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for skinutils.dll DLL Hijacking id: 1801632b-6171-48a3-7472-5b9ff8387108 status: experimental description: Detects possible DLL hijacking of skinutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/icq/skinutils.html author: "Jai Minton - HuntressLabs" date: 2024-05-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\skinutils.dll' filter: TargetFileName: - 'c:\program files\ICQLite\\*' - 'c:\program files (x86)\ICQLite\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for crashrpt.dll DLL Hijacking id: 9651332b-1257-48a3-6224-5b9ff8973528 status: experimental description: Detects possible DLL hijacking of crashrpt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/idol/crashrpt.html author: "Still Hsu" date: 2026-01-09 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\crashrpt.dll' filter: TargetFileName: - 'c:\program files\MPC-HC\CrashReporter\\*' - 'c:\program files (x86)\MPC-HC\CrashReporter\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tbb.dll DLL Hijacking id: 3106522b-4746-48a3-1019-5b9ff8256030 status: experimental description: Detects possible DLL hijacking of tbb.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/intel/tbb.html author: "Jai Minton" date: 2025-06-24 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tbb.dll' filter: TargetFileName: - 'c:\program files\Adobe\Adobe Photoshop CC *\\*' - 'c:\program files (x86)\Adobe\Adobe Photoshop CC *\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for register.dll DLL Hijacking id: 3815042b-6171-48a3-7472-5b9ff8863799 status: experimental description: Detects possible DLL hijacking of register.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/iobit/register.html author: "Jai Minton - HuntressLabs" date: 2024-05-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\register.dll' filter: TargetFileName: - 'c:\program files\IObit\Driver Booster\\*\\*' - 'c:\program files (x86)\IObit\Driver Booster\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for common.dll DLL Hijacking id: 1355322b-4266-48a3-3778-5b9ff8480154 status: experimental description: Detects possible DLL hijacking of common.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/iroot/common.html author: "Jai Minton" date: 2025-05-05 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\common.dll' filter: TargetFileName: - 'c:\program files\iroot\\*' - 'c:\program files (x86)\iroot\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rtl120.dll DLL Hijacking id: 1106122b-1146-48a3-9461-5b9ff8861492 status: experimental description: Detects possible DLL hijacking of rtl120.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/itop/rtl120.html author: "Jai Minton - HuntressLabs" date: 2024-06-14 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rtl120.dll' filter: TargetFileName: - 'c:\program files\DualSafe Password Manager\\*' - 'c:\program files (x86)\DualSafe Password Manager\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for webui.dll DLL Hijacking id: 4693612b-3685-48a3-9733-5b9ff8797206 status: experimental description: Detects possible DLL hijacking of webui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/itop/webui.html author: "Jai Minton - HuntressLabs" date: 2024-08-30 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\webui.dll' filter: TargetFileName: - 'c:\program files\iTop Screen Recorder\\*' - 'c:\program files (x86)\iTop Screen Recorder\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for jrtools.dll DLL Hijacking id: 3986952b-1497-48a3-1258-5b9ff8247078 status: experimental description: Detects possible DLL hijacking of jrtools.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/jriver/jrtools.html author: "Rick Gatenby" date: 2026-02-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\jrtools.dll' filter: TargetFileName: - 'c:\program files\J River\Media Center *\\*' - 'c:\program files (x86)\J River\Media Center *\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for krpt.dll DLL Hijacking id: 4415742b-9766-48a3-4354-5b9ff8616475 status: experimental description: Detects possible DLL hijacking of krpt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/kingsoft/krpt.html author: "Still Hsu" date: 2024-11-09 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\krpt.dll' filter: TargetFileName: - 'c:\program files\Kingsoft\WPS Office\\*\office6\\*' - 'c:\program files (x86)\Kingsoft\WPS Office\\*\office6\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dsp_bridge_x64.dll DLL Hijacking id: 3179262b-3028-48a3-8802-5b9ff8680997 status: experimental description: Detects possible DLL hijacking of dsp_bridge_x64.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/kugou/dsp_bridge_x64.html author: "Zhangir Ospanov" date: 2026-01-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dsp_bridge_x64.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for commfunc.dll DLL Hijacking id: 9530032b-6722-48a3-2305-5b9ff8893283 status: experimental description: Detects possible DLL hijacking of commfunc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/lenovo/commfunc.html author: "Wietze Beukema" date: 2021-12-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\commfunc.dll' filter: TargetFileName: - 'c:\program files\Lenovo\Communications Utility\\*' - 'c:\program files (x86)\Lenovo\Communications Utility\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for quickdeskband.dll DLL Hijacking id: 8061492b-6843-48a3-5852-5b9ff8483736 status: experimental description: Detects possible DLL hijacking of quickdeskband.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/lenovo/quickdeskband.html author: "Wietze Beukema" date: 2024-07-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\quickdeskband.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tts.dll DLL Hijacking id: 7423772b-1967-48a3-9518-5b9ff8557181 status: experimental description: Detects possible DLL hijacking of tts.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/leppsoft/tts.html author: "Walter Gordillo" date: 2025-03-14 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tts.dll' filter: TargetFileName: - 'c:\program files\Soundpad\\*' - 'c:\program files (x86)\Soundpad\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for lmiguardiandll.dll DLL Hijacking id: 8056822b-5153-48a3-7359-5b9ff8983958 status: experimental description: Detects possible DLL hijacking of lmiguardiandll.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/logmein/lmiguardiandll.html author: "Christiaan Beek" date: 2023-01-11 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\lmiguardiandll.dll' filter: TargetFileName: - 'c:\program files\LogMeIn\\*' - 'c:\program files (x86)\LogMeIn\\*' - 'c:\program files\LogMeIn\x86\\*' - 'c:\program files (x86)\LogMeIn\x86\\*' - 'c:\program files\LogMeIn\x64\\*' - 'c:\program files (x86)\LogMeIn\x64\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for facesdk.dll DLL Hijacking id: 4818682b-4150-48a3-8413-5b9ff8954421 status: experimental description: Detects possible DLL hijacking of facesdk.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/luxand/facesdk.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\facesdk.dll' filter: TargetFileName: - 'c:\program files\luxand\facesdk\bin\win64\\*' - 'c:\program files (x86)\luxand\facesdk\bin\win64\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ashldres.dll DLL Hijacking id: 2697232b-6722-48a3-2305-5b9ff8580020 status: experimental description: Detects possible DLL hijacking of ashldres.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mcafee/ashldres.html author: "Wietze Beukema" date: 2021-12-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ashldres.dll' filter: TargetFileName: - 'c:\program files\McAfee.com\VSO\\*' - 'c:\program files (x86)\McAfee.com\VSO\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for lockdown.dll DLL Hijacking id: 2232212b-1318-48a3-1317-5b9ff8905604 status: experimental description: Detects possible DLL hijacking of lockdown.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mcafee/lockdown.html author: "Wietze Beukema" date: 2022-06-13 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\lockdown.dll' filter: TargetFileName: - 'c:\program files\McAfee\VirusScan Enterprise\\*' - 'c:\program files (x86)\McAfee\VirusScan Enterprise\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mcutil.dll DLL Hijacking id: 6572852b-5264-48a3-2775-5b9ff8452084 status: experimental description: Detects possible DLL hijacking of mcutil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mcafee/mcutil.html author: "Jai Minton - HuntressLabs" date: 2024-08-07 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mcutil.dll' filter: TargetFileName: - 'c:\program files\McAfee Inc.\McAfee Total Protection 2009\\*' - 'c:\program files (x86)\McAfee Inc.\McAfee Total Protection 2009\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for siteadv.dll DLL Hijacking id: 1129002b-5201-48a3-9406-5b9ff8493552 status: experimental description: Detects possible DLL hijacking of siteadv.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mcafee/siteadv.html author: "Christiaan Beek" date: 2023-01-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\siteadv.dll' filter: TargetFileName: - 'c:\program files\SiteAdvisor\\*\\*' - 'c:\program files (x86)\SiteAdvisor\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vsodscpl.dll DLL Hijacking id: 8664222b-1318-48a3-1317-5b9ff8845464 status: experimental description: Detects possible DLL hijacking of vsodscpl.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mcafee/vsodscpl.html author: "Wietze Beukema" date: 2022-06-13 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vsodscpl.dll' filter: TargetFileName: - 'c:\program files\McAfee\VirusScan Enterprise\\*' - 'c:\program files (x86)\McAfee\VirusScan Enterprise\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mediainfo_i386.dll DLL Hijacking id: 1377102b-4736-48a3-5188-5b9ff8695284 status: experimental description: Detects possible DLL hijacking of mediainfo_i386.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mediainfo/mediainfo_i386.html author: "Jai Minton - HuntressLabs" date: 2024-06-13 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mediainfo_i386.dll' filter: TargetFileName: - 'c:\program files\MediaInfo\\*' - 'c:\program files (x86)\MediaInfo\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tutil32.dll DLL Hijacking id: 4335962b-9675-48a3-8026-5b9ff8245961 status: experimental description: Detects possible DLL hijacking of tutil32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mitec/tutil32.html author: "Jai Minton" date: 2025-05-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tutil32.dll' filter: TargetFileName: - 'c:\program files\PDE\\*' - 'c:\program files (x86)\PDE\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libxfont-1.dll DLL Hijacking id: 4954712b-9809-48a3-9172-5b9ff8180439 status: experimental description: Detects possible DLL hijacking of libxfont-1.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mobatek/libxfont-1.html author: "Jai Minton - HuntressLabs" date: 2024-05-10 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libxfont-1.dll' filter: TargetFileName: - 'c:\program files\Mobatek\MobaXterm Personal Edition\\*' - 'c:\program files (x86)\Mobatek\MobaXterm Personal Edition\\*' - 'c:\program files\Mobatek\MobaXterm\\*' - 'c:\program files (x86)\Mobatek\MobaXterm\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mozglue.dll DLL Hijacking id: 6154932b-2326-48a3-2877-5b9ff8738308 status: experimental description: Detects possible DLL hijacking of mozglue.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mozilla/mozglue.html author: "Wietze Beukema" date: 2022-09-26 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mozglue.dll' filter: TargetFileName: - 'c:\program files\SeaMonkey\\*' - 'c:\program files (x86)\SeaMonkey\\*' - 'c:\program files\Mozilla Firefox\\*' - 'c:\program files (x86)\Mozilla Firefox\\*' - 'c:\program files\Mozilla Thunderbird\\*' - 'c:\program files (x86)\Mozilla Thunderbird\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mimetools.dll DLL Hijacking id: 2659502b-9425-48a3-2496-5b9ff8181535 status: experimental description: Detects possible DLL hijacking of mimetools.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/notepad++/mimetools.html author: "Wietze Beukema" date: 2024-03-31 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mimetools.dll' filter: TargetFileName: - 'c:\program files\Notepad++\plugins\\*' - 'c:\program files (x86)\Notepad++\plugins\\*' - 'c:\program files\Notepad++\plugins\mimetools\\*' - 'c:\program files (x86)\Notepad++\plugins\mimetools\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for providers.dll DLL Hijacking id: 4710112b-5388-48a3-9769-5b9ff8810087 status: experimental description: Detects possible DLL hijacking of providers.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/npm/providers.html author: "Wietze Beukema" date: 2022-08-01 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\providers.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for nvsmartmax.dll DLL Hijacking id: 6820622b-3819-48a3-7381-5b9ff8297672 status: experimental description: Detects possible DLL hijacking of nvsmartmax.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/nvidia/nvsmartmax.html author: "Wietze Beukema" date: 2023-09-04 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\nvsmartmax.dll' filter: TargetFileName: - 'c:\program files\NVIDIA Corporation\Display\\*' - 'c:\program files (x86)\NVIDIA Corporation\Display\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for opera_elf.dll DLL Hijacking id: 3451112b-5254-48a3-5583-5b9ff8715208 status: experimental description: Detects possible DLL hijacking of opera_elf.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/opera/opera_elf.html author: "Wietze Beukema" date: 2023-07-28 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\opera_elf.dll' filter: TargetFileName: - 'c:\users\\*\appdata\local\Programs\Opera\\*\\*' - 'c:\users\\*\appdata\local\Programs\Opera GX\\*\\*' - 'c:\program files\Opera\\*\\*' - 'c:\program files (x86)\Opera\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for jli.dll DLL Hijacking id: 3307532b-4890-48a3-2757-5b9ff8183967 status: experimental description: Detects possible DLL hijacking of jli.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/oracle/jli.html author: "Swachchhanda Shrawan Poudel" date: 2025-07-09 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\jli.dll' filter: TargetFileName: - 'c:\program files\Java\\*\bin\\*' - 'c:\program files (x86)\Java\\*\bin\\*' - 'c:\program files\\*\jre\bin\\*' - 'c:\program files (x86)\\*\jre\bin\\*' - 'c:\users\\*\appdata\local\Temp\\*\bin\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for launcher.dll DLL Hijacking id: 1948172b-6085-48a3-6339-5b9ff8262762 status: experimental description: Detects possible DLL hijacking of launcher.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/oracle/launcher.html author: "Jai Minton" date: 2025-05-07 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\launcher.dll' filter: TargetFileName: - 'c:\program files\SQL Developer\ide\bin\\*' - 'c:\program files (x86)\SQL Developer\ide\bin\\*' - 'c:\program files\sqldeveloper\ide\bin\\*' - 'c:\program files (x86)\sqldeveloper\ide\bin\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for qtcorevbox4.dll DLL Hijacking id: 7210632b-9569-48a3-1936-5b9ff8559513 status: experimental description: Detects possible DLL hijacking of qtcorevbox4.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/oracle/qtcorevbox4.html author: "Jai Minton - HuntressLabs" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\qtcorevbox4.dll' filter: TargetFileName: - 'c:\program files\Oracle\VirtualBox\\*' - 'c:\program files (x86)\Oracle\VirtualBox\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vboxrt.dll DLL Hijacking id: 4315842b-9569-48a3-1936-5b9ff8731884 status: experimental description: Detects possible DLL hijacking of vboxrt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/oracle/vboxrt.html author: "Jai Minton - HuntressLabs" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vboxrt.dll' filter: TargetFileName: - 'c:\program files\Oracle\VirtualBox\\*' - 'c:\program files (x86)\Oracle\VirtualBox\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winutils.dll DLL Hijacking id: 8665402b-4150-48a3-8413-5b9ff8744995 status: experimental description: Detects possible DLL hijacking of winutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/paloalto/winutils.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winutils.dll' filter: TargetFileName: - 'c:\program files\Palo Alto Networks\Traps\\*' - 'c:\program files (x86)\Palo Alto Networks\Traps\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libeay32.dll DLL Hijacking id: 9896462b-9569-48a3-1936-5b9ff8233096 status: experimental description: Detects possible DLL hijacking of libeay32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/pspad/libeay32.html author: "Jai Minton - HuntressLabs" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libeay32.dll' filter: TargetFileName: - 'c:\program files\PSPad editor\\*' - 'c:\program files (x86)\PSPad editor\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for python310.dll DLL Hijacking id: 6631002b-7990-48a3-2194-5b9ff8874886 status: experimental description: Detects possible DLL hijacking of python310.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/python/python310.html author: "Jai Minton" date: 2024-05-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\python310.dll' filter: TargetFileName: - 'c:\program files\Python310\\*' - 'c:\program files (x86)\Python310\\*' - 'c:\users\\*\appdata\local\Temp\\*\\*' - 'c:\program files\DWAgent\runtime\\*' - 'c:\program files (x86)\DWAgent\runtime\\*' - '%USERPROFILE%\anaconda3\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for python311.dll DLL Hijacking id: 2990442b-2202-48a3-8342-5b9ff8695619 status: experimental description: Detects possible DLL hijacking of python311.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/python/python311.html author: "Swachchhanda Shrawan Poudel" date: 2024-10-02 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\python311.dll' filter: TargetFileName: - 'c:\program files\Python311\\*' - 'c:\program files (x86)\Python311\\*' - 'c:\users\\*\appdata\local\Programs\Python\Python311\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for python39.dll DLL Hijacking id: 7556042b-2326-48a3-2877-5b9ff8836856 status: experimental description: Detects possible DLL hijacking of python39.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/python/python39.html author: "Wietze Beukema" date: 2022-09-26 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\python39.dll' filter: TargetFileName: - 'c:\program files\Python39\\*' - 'c:\program files (x86)\Python39\\*' - 'c:\users\\*\appdata\local\Temp\\*\\*' - 'c:\program files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\\*' - 'c:\program files (x86)\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\\*' - '%USERPROFILE%\anaconda3\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for keyscramblerie.dll DLL Hijacking id: 3315772b-9569-48a3-1936-5b9ff8463838 status: experimental description: Detects possible DLL hijacking of keyscramblerie.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/qfx/keyscramblerie.html author: "Matt Anderson - HuntressLabs, Swachchhanda Shrawan Poudel" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\keyscramblerie.dll' filter: TargetFileName: - 'c:\program files\KeyScrambler\\*' - 'c:\program files (x86)\KeyScrambler\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for qt5core.dll DLL Hijacking id: 2527592b-4736-48a3-5188-5b9ff8167954 status: experimental description: Detects possible DLL hijacking of qt5core.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/qt/qt5core.html author: "Jai Minton - HuntressLabs" date: 2024-06-13 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\qt5core.dll' filter: TargetFileName: - 'c:\program files\Electronic Arts\EA Desktop\EA Desktop\\*' - 'c:\program files (x86)\Electronic Arts\EA Desktop\EA Desktop\\*' - 'c:\program files\Microsoft Onedrive\\*\\*' - 'c:\program files (x86)\Microsoft Onedrive\\*\\*' - 'c:\users\\*\appdata\local\Microsoft\Onedrive\\*\\*' - 'c:\program files\Dropbox\Client\\*\\*' - 'c:\program files (x86)\Dropbox\Client\\*\\*' - 'c:\program files\LogiOptionsPlus\\*' - 'c:\program files (x86)\LogiOptionsPlus\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for qt5network.dll DLL Hijacking id: 9190192b-7904-48a3-3158-5b9ff8134247 status: experimental description: Detects possible DLL hijacking of qt5network.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/qt/qt5network.html author: "Jai Minton" date: 2025-05-09 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\qt5network.dll' filter: TargetFileName: - 'c:\program files\LSoft Technologies\Active@ Data Studio\\*' - 'c:\program files (x86)\LSoft Technologies\Active@ Data Studio\\*' - 'c:\program files\LSoft Technologies\Active@ File Recovery\\*' - 'c:\program files (x86)\LSoft Technologies\Active@ File Recovery\\*' - 'c:\program files\LSoft Technologies\Active@ Disk Editor\\*' - 'c:\program files (x86)\LSoft Technologies\Active@ Disk Editor\\*' - 'c:\program files\LSoft Technologies\Active@ Password Changer\\*' - 'c:\program files (x86)\LSoft Technologies\Active@ Password Changer\\*' - 'c:\program files\LSoft Technologies\Active@ ISO Manager\\*' - 'c:\program files (x86)\LSoft Technologies\Active@ ISO Manager\\*' - 'c:\program files\LSoft Technologies\Active@ UNERASER\\*' - 'c:\program files (x86)\LSoft Technologies\Active@ UNERASER\\*' - 'c:\program files\LSoft Technologies\Active@ KillDisk 25\\*' - 'c:\program files (x86)\LSoft Technologies\Active@ KillDisk 25\\*' - 'c:\program files\LSoft Technologies\Active@ UNDELETE\\*' - 'c:\program files (x86)\LSoft Technologies\Active@ UNDELETE\\*' - 'c:\program files\LSoft Technologies\Active@ Disk Monitor\\*' - 'c:\program files (x86)\LSoft Technologies\Active@ Disk Monitor\\*' - 'c:\program files\LSoft Technologies\Active@ Partition Manager\\*' - 'c:\program files (x86)\LSoft Technologies\Active@ Partition Manager\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for qtgui4.dll DLL Hijacking id: 9746982b-4026-48a3-2477-5b9ff8238508 status: experimental description: Detects possible DLL hijacking of qtgui4.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/qt/qtgui4.html author: "Jai Minton - HuntressLabs" date: 2025-04-10 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\qtgui4.dll' filter: TargetFileName: - 'c:\program files\Audacity\\*' - 'c:\program files (x86)\Audacity\\*' - 'c:\program files\AOMEI\AOMEI Backupper\\*\\*' - 'c:\program files (x86)\AOMEI\AOMEI Backupper\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for asfbncor.dll DLL Hijacking id: 3362012b-9675-48a3-8026-5b9ff8248289 status: experimental description: Detects possible DLL hijacking of asfbncor.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/radioactive/asfbncor.html author: "Jai Minton" date: 2025-05-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\asfbncor.dll' filter: TargetFileName: - 'c:\program files\Replay Media Splitter\\*' - 'c:\program files (x86)\Replay Media Splitter\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rzlog4cpp_logger.dll DLL Hijacking id: 3158222b-7740-48a3-2257-5b9ff8164996 status: experimental description: Detects possible DLL hijacking of rzlog4cpp_logger.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/razer/rzlog4cpp_logger.html author: "Wietze Beukema" date: 2023-04-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rzlog4cpp_logger.dll' filter: TargetFileName: - 'c:\users\\*\appdata\local\razer\InGameEngine\cache\RzFpsApplet\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for flutter_gpu_texture_renderer_plugin.dll DLL Hijacking id: 7010852b-8907-48a3-9464-5b9ff8471033 status: experimental description: Detects possible DLL hijacking of flutter_gpu_texture_renderer_plugin.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/rustdesk/flutter_gpu_texture_renderer_plugin.html author: "Wietze Beukema" date: 2025-02-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\flutter_gpu_texture_renderer_plugin.dll' filter: TargetFileName: - 'c:\users\\*\appdata\local\rustdesk\\*' - 'c:\program files\RustDesk\\*' - 'c:\program files (x86)\RustDesk\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libngs.dll DLL Hijacking id: 5819402b-5039-48a3-6342-5b9ff8298918 status: experimental description: Detects possible DLL hijacking of libngs.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/sangfor/libngs.html author: "Swachchhanda Shrawan Poudel" date: 2026-01-28 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libngs.dll' filter: TargetFileName: - 'c:\program files\Sangfor\SSL\RemoteAppClient\\\*' - 'c:\program files (x86)\Sangfor\SSL\RemoteAppClient\\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for epnsm.dll DLL Hijacking id: 7315302b-9675-48a3-8026-5b9ff8960613 status: experimental description: Detects possible DLL hijacking of epnsm.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/seiko/epnsm.html author: "Jai Minton" date: 2025-05-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\epnsm.dll' filter: TargetFileName: - 'c:\program files\Epson Software\Document Capture Server\\*' - 'c:\program files (x86)\Epson Software\Document Capture Server\\*' - 'c:\program files\Epson Software\Event Manager\\*' - 'c:\program files (x86)\Epson Software\Event Manager\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for sentinelagentcore.dll DLL Hijacking id: 6609692b-5226-48a3-9110-5b9ff8127832 status: experimental description: Detects possible DLL hijacking of sentinelagentcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/sentinelone/sentinelagentcore.html author: "Amelia Casley" date: 2025-08-13 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\sentinelagentcore.dll' filter: TargetFileName: - 'c:\program files\SentinelOne\Sentinel Agent *\\*' - 'c:\program files (x86)\SentinelOne\Sentinel Agent *\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for roboform-x64.dll DLL Hijacking id: 2016812b-1497-48a3-1258-5b9ff8516792 status: experimental description: Detects possible DLL hijacking of roboform-x64.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/sibersystems/roboform-x64.html author: "Rick Gatenby" date: 2026-02-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\roboform-x64.dll' filter: TargetFileName: - 'c:\program files\Siber Systems\AI RoboForm\\*\\*' - 'c:\program files (x86)\Siber Systems\AI RoboForm\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for roboform.dll DLL Hijacking id: 3758612b-1497-48a3-1258-5b9ff8264542 status: experimental description: Detects possible DLL hijacking of roboform.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/sibersystems/roboform.html author: "Rick Gatenby" date: 2026-02-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\roboform.dll' filter: TargetFileName: - 'c:\program files\Siber Systems\AI RoboForm\\*' - 'c:\program files (x86)\Siber Systems\AI RoboForm\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for smadhook32c.dll DLL Hijacking id: 3416182b-4150-48a3-8413-5b9ff8316275 status: experimental description: Detects possible DLL hijacking of smadhook32c.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/smadav/smadhook32c.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\smadhook32c.dll' filter: TargetFileName: - 'c:\program files\Smadav\\*' - 'c:\program files (x86)\Smadav\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for sqlite.dll DLL Hijacking id: 5920602b-6171-48a3-7472-5b9ff8606319 status: experimental description: Detects possible DLL hijacking of sqlite.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/softperfect/sqlite.html author: "Jai Minton - HuntressLabs" date: 2024-05-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\sqlite.dll' filter: TargetFileName: - 'c:\program files\NetWorx\\*' - 'c:\program files (x86)\NetWorx\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for safestore32.dll DLL Hijacking id: 9492102b-3819-48a3-7381-5b9ff8837017 status: experimental description: Detects possible DLL hijacking of safestore32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/sophos/safestore32.html author: "Wietze Beukema" date: 2023-09-04 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\safestore32.dll' filter: TargetFileName: - 'c:\program files\Sophos\Sophos Anti-Virus\\*' - 'c:\program files (x86)\Sophos\Sophos Anti-Virus\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libsqlite3-0.dll DLL Hijacking id: 2620602b-3119-48a3-1242-5b9ff8266048 status: experimental description: Detects possible DLL hijacking of libsqlite3-0.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/sqlite/libsqlite3-0.html author: "Swachchhanda Shrawan Poudel" date: 2025-07-12 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libsqlite3-0.dll' filter: TargetFileName: - 'c:\program files\\*' - 'c:\program files (x86)\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ldvpocx.ocx DLL Hijacking id: 2888912b-2523-48a3-4236-5b9ff8872802 status: experimental description: Detects possible DLL hijacking of ldvpocx.ocx by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/symantec/ldvpocx.html author: "Wietze Beukema" date: 2023-04-22 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ldvpocx.ocx' filter: TargetFileName: - 'c:\program files\Symantec_Client_Security\Symantec AntiVirus\\*' - 'c:\program files (x86)\Symantec_Client_Security\Symantec AntiVirus\\*' - 'c:\program files\Symantec AntiVirus\\*' - 'c:\program files (x86)\Symantec AntiVirus\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rastls.dll DLL Hijacking id: 2346692b-1995-48a3-3467-5b9ff8265175 status: experimental description: Detects possible DLL hijacking of rastls.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/symantec/rastls.html author: "Wietze Beukema" date: 2023-02-26 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rastls.dll' filter: TargetFileName: - 'c:\program files\Symantec\Network Connected Devices Auto Setup\\*' - 'c:\program files (x86)\Symantec\Network Connected Devices Auto Setup\\*' - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for shellsel.ocx DLL Hijacking id: 2664662b-4150-48a3-8413-5b9ff8735128 status: experimental description: Detects possible DLL hijacking of shellsel.ocx by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/symantec/shellsel.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\shellsel.ocx' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for madhcnet32.dll DLL Hijacking id: 7923812b-4026-48a3-2477-5b9ff8629450 status: experimental description: Detects possible DLL hijacking of madhcnet32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/systemsoftwaremathiasrauen/madhcnet32.html author: "Jai Minton - HuntressLabs" date: 2025-04-10 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\madhcnet32.dll' filter: TargetFileName: - 'c:\program files\Multimedia\K-Lite Codec Pack\Filters\madVR\\*' - 'c:\program files (x86)\Multimedia\K-Lite Codec Pack\Filters\madVR\\*' - 'c:\program files\K-Lite Codec Pack\Filters\madVR\\*' - 'c:\program files (x86)\K-Lite Codec Pack\Filters\madVR\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mfcu100u.dll DLL Hijacking id: 2066802b-7232-48a3-9635-5b9ff8811420 status: experimental description: Detects possible DLL hijacking of mfcu100u.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/techsmith/mfcu100u.html author: "Josh Allman" date: 2025-02-28 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mfcu100u.dll' filter: TargetFileName: - 'c:\program files\TechSmith\Camtasia Studio 8\\*' - 'c:\program files (x86)\TechSmith\Camtasia Studio 8\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tpsvc.dll DLL Hijacking id: 1712242b-9569-48a3-1936-5b9ff8544276 status: experimental description: Detects possible DLL hijacking of tpsvc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/thinprint/tpsvc.html author: "Jai Minton - HuntressLabs" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tpsvc.dll' filter: TargetFileName: - 'c:\program files\VMWare\VMWare Tools\\*' - 'c:\program files (x86)\VMWare\VMWare Tools\\*' - 'c:\program files\Common Files\ThinPrint\\*' - 'c:\program files (x86)\Common Files\ThinPrint\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cc3260mt.dll DLL Hijacking id: 5945182b-3546-48a3-3513-5b9ff8463170 status: experimental description: Detects possible DLL hijacking of cc3260mt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/tivo/cc3260mt.html author: "Jai Minton - HuntressLabs" date: 2025-02-19 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cc3260mt.dll' filter: TargetFileName: - 'c:\program files\TiVo\Desktop\\*' - 'c:\program files (x86)\TiVo\Desktop\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tosbtkbd.dll DLL Hijacking id: 9671702b-6727-48a3-6557-5b9ff8159819 status: experimental description: Detects possible DLL hijacking of tosbtkbd.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/toshiba/tosbtkbd.html author: "Wietze Beukema" date: 2022-06-14 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tosbtkbd.dll' filter: TargetFileName: - 'c:\program files\Toshiba\Bluetooth Toshiba Stack\\*' - 'c:\program files (x86)\Toshiba\Bluetooth Toshiba Stack\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tmdbg64.dll DLL Hijacking id: 9722622b-9632-48a3-5733-5b9ff8437989 status: experimental description: Detects possible DLL hijacking of tmdbg64.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/trendmicro/tmdbg64.html author: "Still Hsu" date: 2025-11-05 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tmdbg64.dll' filter: TargetFileName: - 'c:\users\\*\appdata\local\Temp\ClnExtor\PCCNT\\*' - 'c:\program files\Trend Micro\Security Agent\\*' - 'c:\program files (x86)\Trend Micro\Security Agent\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tmdbglog.dll DLL Hijacking id: 1956942b-5201-48a3-9406-5b9ff8905624 status: experimental description: Detects possible DLL hijacking of tmdbglog.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/trendmicro/tmdbglog.html author: "Christiaan Beek" date: 2023-01-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tmdbglog.dll' filter: TargetFileName: - 'c:\program files\Trend Micro\Titanium\\*' - 'c:\program files (x86)\Trend Micro\Titanium\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tmtap.dll DLL Hijacking id: 8739702b-2945-48a3-7988-5b9ff8844509 status: experimental description: Detects possible DLL hijacking of tmtap.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/trendmicro/tmtap.html author: "Wietze Beukema" date: 2022-05-26 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tmtap.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for utiluniclient.dll DLL Hijacking id: 8929172b-5805-48a3-6769-5b9ff8388944 status: experimental description: Detects possible DLL hijacking of utiluniclient.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/trendmicro/utiluniclient.html author: "Wietze Beukema" date: 2021-02-28 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\utiluniclient.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for unityplayer.dll DLL Hijacking id: 8888882b-8028-48a3-7945-5b9ff8900792 status: experimental description: Detects possible DLL hijacking of unityplayer.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/unity/unityplayer.html author: "Wietze Beukema" date: 2023-05-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\unityplayer.dll' filter: TargetFileName: - 'c:\users\\*\appdata\local\Temp\\*\Windows\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for crashhandler.dll DLL Hijacking id: 7629772b-9776-48a3-1796-5b9ff8671439 status: experimental description: Detects possible DLL hijacking of crashhandler.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/valve/crashhandler.html author: "Still Hsu" date: 2025-11-20 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\crashhandler.dll' filter: TargetFileName: - 'c:\program files\Steam\\*' - 'c:\program files (x86)\Steam\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vstdlib_s64.dll DLL Hijacking id: 3565762b-3925-48a3-9336-5b9ff8162355 status: experimental description: Detects possible DLL hijacking of vstdlib_s64.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/valve/vstdlib_s64.html author: "Still Hsu" date: 2024-09-24 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vstdlib_s64.dll' filter: TargetFileName: - 'c:\program files\Steam\\*' - 'c:\program files (x86)\Steam\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vntfxf32.dll DLL Hijacking id: 5845122b-4150-48a3-8413-5b9ff8327495 status: experimental description: Detects possible DLL hijacking of vntfxf32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/ventafax/vntfxf32.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vntfxf32.dll' filter: TargetFileName: - 'c:\program files\Venta\VentaFax & Voice\\*' - 'c:\program files (x86)\Venta\VentaFax & Voice\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vivaldi_elf.dll DLL Hijacking id: 5086082b-2523-48a3-4236-5b9ff8819409 status: experimental description: Detects possible DLL hijacking of vivaldi_elf.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/vivaldi/vivaldi_elf.html author: "Wietze Beukema" date: 2023-04-22 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vivaldi_elf.dll' filter: TargetFileName: - 'c:\users\\*\appdata\local\Vivaldi\Application\\*' - 'c:\users\\*\appdata\local\Vivaldi\Application\\*\\*' - 'c:\users\\*\appdata\local\Programs\Vivaldi\Application\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libvlc.dll DLL Hijacking id: 1010922b-1035-48a3-1344-5b9ff8330336 status: experimental description: Detects possible DLL hijacking of libvlc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html author: "Wietze Beukema" date: 2022-11-18 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libvlc.dll' filter: TargetFileName: - 'c:\program files\VideoLAN\VLC\\*' - 'c:\program files (x86)\VideoLAN\VLC\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libvlccore.dll DLL Hijacking id: 3125662b-9569-48a3-1936-5b9ff8347377 status: experimental description: Detects possible DLL hijacking of libvlccore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/vlc/libvlccore.html author: "Jai Minton - HuntressLabs" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libvlccore.dll' filter: TargetFileName: - 'c:\program files\VideoLAN\VLC\\*' - 'c:\program files (x86)\VideoLAN\VLC\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for glib-2.0.dll DLL Hijacking id: 7524132b-7740-48a3-2257-5b9ff8783090 status: experimental description: Detects possible DLL hijacking of glib-2.0.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/vmware/glib-2.0.html author: "Wietze Beukema" date: 2023-04-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\glib-2.0.dll' filter: TargetFileName: - 'c:\program files\VMware\VMware Tools\\*' - 'c:\program files (x86)\VMware\VMware Tools\\*' - 'c:\program files\VMware\VMware Workstation\\*' - 'c:\program files (x86)\VMware\VMware Workstation\\*' - 'c:\program files\VMware\VMware Player\\*' - 'c:\program files (x86)\VMware\VMware Player\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for shfolder.dll DLL Hijacking id: 8124062b-4759-48a3-7597-5b9ff8844449 status: experimental description: Detects possible DLL hijacking of shfolder.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/vmware/shfolder.html author: "Wietze Beukema" date: 2021-11-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\shfolder.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vmtools.dll DLL Hijacking id: 1454272b-2773-48a3-5383-5b9ff8169519 status: experimental description: Detects possible DLL hijacking of vmtools.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/vmware/vmtools.html author: "Jai Minton - HuntressLabs" date: 2024-05-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vmtools.dll' filter: TargetFileName: - 'c:\program files\VMware\VMware Tools\\*' - 'c:\program files (x86)\VMware\VMware Tools\\*' - 'c:\program files\VMware\VMware Workstation\\*' - 'c:\program files (x86)\VMware\VMware Workstation\\*' - 'c:\program files\VMware\VMware Player\\*' - 'c:\program files (x86)\VMware\VMware Player\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for avutil.dll DLL Hijacking id: 4821732b-3109-48a3-1955-5b9ff8677522 status: experimental description: Detects possible DLL hijacking of avutil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/vsosoftware/avutil.html author: "Wietze Beukema" date: 2024-07-01 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\avutil.dll' filter: TargetFileName: - 'c:\program files\VSO\ConvertX\7\\*' - 'c:\program files (x86)\VSO\ConvertX\7\\*' - 'c:\program files\VSO\convertXtoDVD\\*' - 'c:\program files (x86)\VSO\convertXtoDVD\\*' - 'c:\program files\Common Files\Oracle\Java\javapath\\*' - 'c:\program files (x86)\Common Files\Oracle\Java\javapath\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libglib-2.0-0.dll DLL Hijacking id: 4660922b-9569-48a3-1936-5b9ff8639303 status: experimental description: Detects possible DLL hijacking of libglib-2.0-0.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/wireshark/libglib-2.0-0.html author: "Jai Minton - HuntressLabs" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libglib-2.0-0.dll' filter: TargetFileName: - 'c:\program files\Wireshark\\*' - 'c:\program files (x86)\Wireshark\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libwsutil.dll DLL Hijacking id: 6218012b-9569-48a3-1936-5b9ff8220380 status: experimental description: Detects possible DLL hijacking of libwsutil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/wireshark/libwsutil.html author: "Jai Minton - HuntressLabs" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libwsutil.dll' filter: TargetFileName: - 'c:\program files\Wireshark\\*' - 'c:\program files (x86)\Wireshark\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wxmsw313u_aui_vc_custom.dll DLL Hijacking id: 7670462b-9675-48a3-8026-5b9ff8778295 status: experimental description: Detects possible DLL hijacking of wxmsw313u_aui_vc_custom.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/wxwidgets/wxmsw313u_aui_vc_custom.html author: "Jai Minton" date: 2025-05-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wxmsw313u_aui_vc_custom.dll' filter: TargetFileName: - 'c:\program files\Audacity\\*' - 'c:\program files (x86)\Audacity\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for x32bridge.dll DLL Hijacking id: 1216792b-9223-48a3-6181-5b9ff8946663 status: experimental description: Detects possible DLL hijacking of x32bridge.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/x64dbg/x32bridge.html author: "Wietze Beukema" date: 2023-03-01 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\x32bridge.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for atl71.dll DLL Hijacking id: 6552892b-3685-48a3-9733-5b9ff8142648 status: experimental description: Detects possible DLL hijacking of atl71.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/xunlei/atl71.html author: "Jai Minton - HuntressLabs" date: 2024-08-30 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\atl71.dll' filter: TargetFileName: - 'c:\program files\Common Files\Thunder Network\TP\\*\\*' - 'c:\program files (x86)\Common Files\Thunder Network\TP\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for zlibwapi.dll DLL Hijacking id: 5449342b-9910-48a3-3013-5b9ff8401940 status: experimental description: Detects possible DLL hijacking of zlibwapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/zlib/zlibwapi.html author: "Still Hsu" date: 2024-11-24 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\zlibwapi.dll' filter: TargetFileName: - 'c:\program files\DS Clock\\*' - 'c:\program files (x86)\DS Clock\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for aclui.dll DLL Hijacking id: 6961132b-1313-48a3-6160-5b9ff8597384 status: experimental description: Detects possible DLL hijacking of aclui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/aclui.html author: "Wietze Beukema" date: 2021-12-07 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\aclui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for activeds.dll DLL Hijacking id: 1561772b-9395-48a3-4833-5b9ff8384545 status: experimental description: Detects possible DLL hijacking of activeds.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/activeds.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\activeds.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for adsldpc.dll DLL Hijacking id: 2821252b-9395-48a3-4833-5b9ff8167320 status: experimental description: Detects possible DLL hijacking of adsldpc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/adsldpc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\adsldpc.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for aepic.dll DLL Hijacking id: 7114002b-9395-48a3-4833-5b9ff8310426 status: experimental description: Detects possible DLL hijacking of aepic.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/aepic.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\aepic.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for apphelp.dll DLL Hijacking id: 1083242b-9395-48a3-4833-5b9ff8805110 status: experimental description: Detects possible DLL hijacking of apphelp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/apphelp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\apphelp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for applicationframe.dll DLL Hijacking id: 7730762b-2897-48a3-6541-5b9ff8503660 status: experimental description: Detects possible DLL hijacking of applicationframe.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/applicationframe.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\applicationframe.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for appvpolicy.dll DLL Hijacking id: 5334352b-2028-48a3-1241-5b9ff8107382 status: experimental description: Detects possible DLL hijacking of appvpolicy.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/appvpolicy.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\appvpolicy.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\program files\Common Files\Microsoft Shared\ClickToRun\\*' - 'c:\program files (x86)\Common Files\Microsoft Shared\ClickToRun\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for appwiz.cpl DLL Hijacking id: 9483912b-8657-48a3-9976-5b9ff8530009 status: experimental description: Detects possible DLL hijacking of appwiz.cpl by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/appwiz.html author: "Wietze Beukema" date: 2024-01-11 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\appwiz.cpl' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for appxalluserstore.dll DLL Hijacking id: 7919612b-9395-48a3-4833-5b9ff8281862 status: experimental description: Detects possible DLL hijacking of appxalluserstore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/appxalluserstore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\appxalluserstore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for appxdeploymentclient.dll DLL Hijacking id: 7568422b-9395-48a3-4833-5b9ff8638490 status: experimental description: Detects possible DLL hijacking of appxdeploymentclient.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/appxdeploymentclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\appxdeploymentclient.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for archiveint.dll DLL Hijacking id: 1146712b-9395-48a3-4833-5b9ff8135242 status: experimental description: Detects possible DLL hijacking of archiveint.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/archiveint.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\archiveint.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for atl.dll DLL Hijacking id: 6673332b-9395-48a3-4833-5b9ff8300501 status: experimental description: Detects possible DLL hijacking of atl.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/atl.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\atl.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for audioses.dll DLL Hijacking id: 8022592b-9395-48a3-4833-5b9ff8731679 status: experimental description: Detects possible DLL hijacking of audioses.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/audioses.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\audioses.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for auditpolcore.dll DLL Hijacking id: 4819822b-9395-48a3-4833-5b9ff8425921 status: experimental description: Detects possible DLL hijacking of auditpolcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/auditpolcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\auditpolcore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for authfwcfg.dll DLL Hijacking id: 1368622b-9395-48a3-4833-5b9ff8719918 status: experimental description: Detects possible DLL hijacking of authfwcfg.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/authfwcfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\authfwcfg.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for authz.dll DLL Hijacking id: 9309812b-9395-48a3-4833-5b9ff8476213 status: experimental description: Detects possible DLL hijacking of authz.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/authz.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\authz.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for avrt.dll DLL Hijacking id: 3280762b-9395-48a3-4833-5b9ff8777444 status: experimental description: Detects possible DLL hijacking of avrt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/avrt.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\avrt.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for axeonoffhelper.dll DLL Hijacking id: 7616972b-8288-48a3-2577-5b9ff8451750 status: experimental description: Detects possible DLL hijacking of axeonoffhelper.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/axeonoffhelper.html author: "Swachchhanda Shrawan Poudel" date: 2025-06-18 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\axeonoffhelper.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for batmeter.dll DLL Hijacking id: 9973812b-7437-48a3-2115-5b9ff8730738 status: experimental description: Detects possible DLL hijacking of batmeter.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/batmeter.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\batmeter.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for bcd.dll DLL Hijacking id: 8147012b-9395-48a3-4833-5b9ff8624399 status: experimental description: Detects possible DLL hijacking of bcd.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bcd.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\bcd.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for bcp47langs.dll DLL Hijacking id: 6006202b-9395-48a3-4833-5b9ff8831169 status: experimental description: Detects possible DLL hijacking of bcp47langs.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bcp47langs.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\bcp47langs.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for bcp47mrm.dll DLL Hijacking id: 5611532b-9395-48a3-4833-5b9ff8838292 status: experimental description: Detects possible DLL hijacking of bcp47mrm.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bcp47mrm.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\bcp47mrm.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for bcrypt.dll DLL Hijacking id: 1391452b-2897-48a3-6541-5b9ff8903512 status: experimental description: Detects possible DLL hijacking of bcrypt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bcrypt.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\bcrypt.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for bderepair.dll DLL Hijacking id: 8510402b-9395-48a3-4833-5b9ff8929683 status: experimental description: Detects possible DLL hijacking of bderepair.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bderepair.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\bderepair.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for bootmenuux.dll DLL Hijacking id: 6290592b-9395-48a3-4833-5b9ff8715871 status: experimental description: Detects possible DLL hijacking of bootmenuux.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bootmenuux.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\bootmenuux.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for bootux.dll DLL Hijacking id: 3253142b-2028-48a3-1241-5b9ff8137525 status: experimental description: Detects possible DLL hijacking of bootux.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bootux.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\bootux.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for bthprops.cpl DLL Hijacking id: 9160872b-3316-48a3-9077-5b9ff8347867 status: experimental description: Detects possible DLL hijacking of bthprops.cpl by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bthprops.html author: "Swachchhanda Shrawan Poudel" date: 2026-02-05 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\bthprops.cpl' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\Prefetch\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cabinet.dll DLL Hijacking id: 1147392b-9395-48a3-4833-5b9ff8774102 status: experimental description: Detects possible DLL hijacking of cabinet.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cabinet.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cabinet.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cabview.dll DLL Hijacking id: 4608832b-2897-48a3-6541-5b9ff8579534 status: experimental description: Detects possible DLL hijacking of cabview.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cabview.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cabview.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cdpsgshims.dll DLL Hijacking id: 4611702b-9122-48a3-7130-5b9ff8297414 status: experimental description: Detects possible DLL hijacking of cdpsgshims.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cdpsgshims.html author: "k4nfr3" date: 2022-08-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cdpsgshims.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for certcli.dll DLL Hijacking id: 9039272b-2028-48a3-1241-5b9ff8865992 status: experimental description: Detects possible DLL hijacking of certcli.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/certcli.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\certcli.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for certenroll.dll DLL Hijacking id: 2262222b-9395-48a3-4833-5b9ff8558051 status: experimental description: Detects possible DLL hijacking of certenroll.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/certenroll.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\certenroll.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cfgmgr32.dll DLL Hijacking id: 8798342b-4582-48a3-1057-5b9ff8403867 status: experimental description: Detects possible DLL hijacking of cfgmgr32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cfgmgr32.html author: "Wietze Beukema" date: 2023-05-19 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cfgmgr32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cldapi.dll DLL Hijacking id: 2513712b-9395-48a3-4833-5b9ff8133169 status: experimental description: Detects possible DLL hijacking of cldapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cldapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cldapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for clipc.dll DLL Hijacking id: 4992582b-9395-48a3-4833-5b9ff8734121 status: experimental description: Detects possible DLL hijacking of clipc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/clipc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\clipc.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for clusapi.dll DLL Hijacking id: 9283912b-9395-48a3-4833-5b9ff8443136 status: experimental description: Detects possible DLL hijacking of clusapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/clusapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\clusapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cmpbk32.dll DLL Hijacking id: 6999162b-9395-48a3-4833-5b9ff8418126 status: experimental description: Detects possible DLL hijacking of cmpbk32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cmpbk32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cmpbk32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cmutil.dll DLL Hijacking id: 6540492b-2028-48a3-1241-5b9ff8812845 status: experimental description: Detects possible DLL hijacking of cmutil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cmutil.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cmutil.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for coloradapterclient.dll DLL Hijacking id: 2341452b-9395-48a3-4833-5b9ff8294719 status: experimental description: Detects possible DLL hijacking of coloradapterclient.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/coloradapterclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\coloradapterclient.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for colorui.dll DLL Hijacking id: 3050932b-9395-48a3-4833-5b9ff8851919 status: experimental description: Detects possible DLL hijacking of colorui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/colorui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\colorui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for comdlg32.dll DLL Hijacking id: 3569472b-2897-48a3-6541-5b9ff8976607 status: experimental description: Detects possible DLL hijacking of comdlg32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/comdlg32.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\comdlg32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for configmanager2.dll DLL Hijacking id: 8097612b-2028-48a3-1241-5b9ff8697132 status: experimental description: Detects possible DLL hijacking of configmanager2.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/configmanager2.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\configmanager2.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for connect.dll DLL Hijacking id: 6694052b-2897-48a3-6541-5b9ff8768439 status: experimental description: Detects possible DLL hijacking of connect.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/connect.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\connect.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for coredplus.dll DLL Hijacking id: 5265762b-7437-48a3-2115-5b9ff8350063 status: experimental description: Detects possible DLL hijacking of coredplus.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/coredplus.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\coredplus.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for coremessaging.dll DLL Hijacking id: 8595492b-9395-48a3-4833-5b9ff8771827 status: experimental description: Detects possible DLL hijacking of coremessaging.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/coremessaging.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\coremessaging.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for coreuicomponents.dll DLL Hijacking id: 3082242b-2028-48a3-1241-5b9ff8578966 status: experimental description: Detects possible DLL hijacking of coreuicomponents.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/coreuicomponents.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\coreuicomponents.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for credui.dll DLL Hijacking id: 8542452b-9395-48a3-4833-5b9ff8440692 status: experimental description: Detects possible DLL hijacking of credui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/credui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\credui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cryptbase.dll DLL Hijacking id: 4433672b-9395-48a3-4833-5b9ff8337593 status: experimental description: Detects possible DLL hijacking of cryptbase.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cryptbase.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cryptbase.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cryptdll.dll DLL Hijacking id: 6409002b-9395-48a3-4833-5b9ff8362190 status: experimental description: Detects possible DLL hijacking of cryptdll.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cryptdll.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cryptdll.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cryptnet.dll DLL Hijacking id: 6024932b-8091-48a3-6555-5b9ff8476279 status: experimental description: Detects possible DLL hijacking of cryptnet.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cryptnet.html author: "Will Summerhill" date: 2024-11-22 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cryptnet.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cryptsp.dll DLL Hijacking id: 2843042b-2028-48a3-1241-5b9ff8669152 status: experimental description: Detects possible DLL hijacking of cryptsp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cryptsp.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cryptsp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cryptui.dll DLL Hijacking id: 1397952b-9395-48a3-4833-5b9ff8375484 status: experimental description: Detects possible DLL hijacking of cryptui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cryptui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cryptui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cryptxml.dll DLL Hijacking id: 4433932b-9395-48a3-4833-5b9ff8581863 status: experimental description: Detects possible DLL hijacking of cryptxml.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cryptxml.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cryptxml.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cscapi.dll DLL Hijacking id: 6635272b-9395-48a3-4833-5b9ff8543091 status: experimental description: Detects possible DLL hijacking of cscapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cscapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cscapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cscobj.dll DLL Hijacking id: 4910872b-2897-48a3-6541-5b9ff8780619 status: experimental description: Detects possible DLL hijacking of cscobj.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cscobj.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cscobj.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for cscui.dll DLL Hijacking id: 7447112b-2897-48a3-6541-5b9ff8230164 status: experimental description: Detects possible DLL hijacking of cscui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cscui.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\cscui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for d2d1.dll DLL Hijacking id: 5931672b-9395-48a3-4833-5b9ff8110157 status: experimental description: Detects possible DLL hijacking of d2d1.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d2d1.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\d2d1.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for d3d10.dll DLL Hijacking id: 7231502b-9395-48a3-4833-5b9ff8901798 status: experimental description: Detects possible DLL hijacking of d3d10.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d10.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\d3d10.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for d3d10_1.dll DLL Hijacking id: 3305522b-9395-48a3-4833-5b9ff8639490 status: experimental description: Detects possible DLL hijacking of d3d10_1.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d10_1.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\d3d10_1.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for d3d10_1core.dll DLL Hijacking id: 5334922b-9395-48a3-4833-5b9ff8162909 status: experimental description: Detects possible DLL hijacking of d3d10_1core.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d10_1core.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\d3d10_1core.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for d3d10core.dll DLL Hijacking id: 9260902b-9395-48a3-4833-5b9ff8425217 status: experimental description: Detects possible DLL hijacking of d3d10core.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d10core.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\d3d10core.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for d3d10warp.dll DLL Hijacking id: 4882562b-9395-48a3-4833-5b9ff8870216 status: experimental description: Detects possible DLL hijacking of d3d10warp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d10warp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\d3d10warp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for d3d11.dll DLL Hijacking id: 3648822b-9395-48a3-4833-5b9ff8970198 status: experimental description: Detects possible DLL hijacking of d3d11.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d11.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\d3d11.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for d3d12.dll DLL Hijacking id: 5543692b-9395-48a3-4833-5b9ff8102542 status: experimental description: Detects possible DLL hijacking of d3d12.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d12.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\d3d12.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for d3d9.dll DLL Hijacking id: 8213182b-9395-48a3-4833-5b9ff8691183 status: experimental description: Detects possible DLL hijacking of d3d9.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d9.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\d3d9.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for d3dcompiler_47.dll DLL Hijacking id: 4206842b-9395-48a3-4833-5b9ff8530571 status: experimental description: Detects possible DLL hijacking of d3dcompiler_47.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3dcompiler_47.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\d3dcompiler_47.dll' filter: TargetFileName: - 'c:\program files\windows kits\10\bin\\*\x64\\*' - 'c:\program files (x86)\windows kits\10\bin\\*\x64\\*' - 'c:\program files\windows kits\10\bin\\*\x86\\*' - 'c:\program files (x86)\windows kits\10\bin\\*\x86\\*' - 'c:\program files\windows kits\10\redist\d3d\x64\\*' - 'c:\program files (x86)\windows kits\10\redist\d3d\x64\\*' - 'c:\program files\windows kits\10\redist\d3d\x86\\*' - 'c:\program files (x86)\windows kits\10\redist\d3d\x86\\*' - 'c:\program files\wireshark\\*' - 'c:\program files (x86)\wireshark\\*' - 'c:\program files\LogiOptionsPlus\\*' - 'c:\program files (x86)\LogiOptionsPlus\\*' - 'c:\program files\cisco systems\cisco jabber\\*' - 'c:\program files (x86)\cisco systems\cisco jabber\\*' - 'c:\program files\microsoft\edge\application\\*\\*' - 'c:\program files (x86)\microsoft\edge\application\\*\\*' - 'c:\program files\microsoft\edgewebview\application\\*\\*' - 'c:\program files (x86)\microsoft\edgewebview\application\\*\\*' - 'c:\program files\microsoft\edgecore\application\\*\\*' - 'c:\program files (x86)\microsoft\edgecore\application\\*\\*' - 'c:\program files\Google\Chrome\Application\\*\\*' - 'c:\program files (x86)\Google\Chrome\Application\\*\\*' - 'c:\program files\Island\Island\Application\\*\\*' - 'c:\program files (x86)\Island\Island\Application\\*\\*' - 'c:\program files\Zoom\bin\\*' - 'c:\program files (x86)\Zoom\bin\\*' - 'c:\users\\*\appdata\roaming\Zoom\bin\\*' - 'c:\users\\*\appdata\local\microsoft\teams\stage\\*' - 'c:\users\\*\appdata\local\Programs\Microsoft VS Code\\*' - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for d3dx9_43.dll DLL Hijacking id: 7675062b-8028-48a3-7945-5b9ff8245014 status: experimental description: Detects possible DLL hijacking of d3dx9_43.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3dx9_43.html author: "Wietze Beukema" date: 2023-05-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\d3dx9_43.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dataexchange.dll DLL Hijacking id: 3976842b-2897-48a3-6541-5b9ff8191828 status: experimental description: Detects possible DLL hijacking of dataexchange.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dataexchange.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dataexchange.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for davclnt.dll DLL Hijacking id: 9202762b-2897-48a3-6541-5b9ff8342534 status: experimental description: Detects possible DLL hijacking of davclnt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/davclnt.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\davclnt.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dbgcore.dll DLL Hijacking id: 3986662b-9395-48a3-4833-5b9ff8671231 status: experimental description: Detects possible DLL hijacking of dbgcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dbgcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dbgcore.dll' filter: TargetFileName: - 'c:\program files\windows kits\10\debuggers\arm\\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm\\*' - 'c:\program files\windows kits\10\debuggers\arm\srcsrv\\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm\srcsrv\\*' - 'c:\program files\windows kits\10\debuggers\arm64\\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm64\\*' - 'c:\program files\windows kits\10\debuggers\arm64\srcsrv\\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm64\srcsrv\\*' - 'c:\program files\windows kits\10\debuggers\x64\\*' - 'c:\program files (x86)\windows kits\10\debuggers\x64\\*' - 'c:\program files\windows kits\10\debuggers\x64\srcsrv\\*' - 'c:\program files (x86)\windows kits\10\debuggers\x64\srcsrv\\*' - 'c:\program files\windows kits\10\debuggers\x86\\*' - 'c:\program files (x86)\windows kits\10\debuggers\x86\\*' - 'c:\program files\windows kits\10\debuggers\x86\srcsrv\\*' - 'c:\program files (x86)\windows kits\10\debuggers\x86\srcsrv\\*' - 'c:\program files\microsoft office\root\office*\\*' - 'c:\program files (x86)\microsoft office\root\office*\\*' - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dbghelp.dll DLL Hijacking id: 7256632b-9395-48a3-4833-5b9ff8211460 status: experimental description: Detects possible DLL hijacking of dbghelp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dbghelp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dbghelp.dll' filter: TargetFileName: - 'c:\program files\windows kits\10\debuggers\arm\\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm\\*' - 'c:\program files\windows kits\10\debuggers\arm\srcsrv\\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm\srcsrv\\*' - 'c:\program files\windows kits\10\debuggers\arm64\\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm64\\*' - 'c:\program files\windows kits\10\debuggers\arm64\srcsrv\\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm64\srcsrv\\*' - 'c:\program files\windows kits\10\debuggers\x64\\*' - 'c:\program files (x86)\windows kits\10\debuggers\x64\\*' - 'c:\program files\windows kits\10\debuggers\x64\srcsrv\\*' - 'c:\program files (x86)\windows kits\10\debuggers\x64\srcsrv\\*' - 'c:\program files\windows kits\10\debuggers\x86\\*' - 'c:\program files (x86)\windows kits\10\debuggers\x86\\*' - 'c:\program files\windows kits\10\debuggers\x86\srcsrv\\*' - 'c:\program files (x86)\windows kits\10\debuggers\x86\srcsrv\\*' - 'c:\program files\cisco systems\cisco jabber\\*' - 'c:\program files (x86)\cisco systems\cisco jabber\\*' - 'c:\program files\microsoft office\root\office*\\*' - 'c:\program files (x86)\microsoft office\root\office*\\*' - 'c:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\\*' - 'c:\program files (x86)\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\\*' - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dbgmodel.dll DLL Hijacking id: 1149382b-2811-48a3-1599-5b9ff8991076 status: experimental description: Detects possible DLL hijacking of dbgmodel.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dbgmodel.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\program files\Windows Kits\10\Debuggers\\*\\*' - 'c:\program files (x86)\Windows Kits\10\Debuggers\\*\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dcntel.dll DLL Hijacking id: 8030552b-9395-48a3-4833-5b9ff8110108 status: experimental description: Detects possible DLL hijacking of dcntel.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dcntel.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dcntel.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dcomp.dll DLL Hijacking id: 5237442b-9395-48a3-4833-5b9ff8380347 status: experimental description: Detects possible DLL hijacking of dcomp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dcomp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dcomp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for defragproxy.dll DLL Hijacking id: 3280332b-2897-48a3-6541-5b9ff8912656 status: experimental description: Detects possible DLL hijacking of defragproxy.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/defragproxy.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\defragproxy.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for desktopshellext.dll DLL Hijacking id: 7748222b-2897-48a3-6541-5b9ff8161828 status: experimental description: Detects possible DLL hijacking of desktopshellext.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/desktopshellext.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\desktopshellext.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for deviceassociation.dll DLL Hijacking id: 9855842b-9395-48a3-4833-5b9ff8471968 status: experimental description: Detects possible DLL hijacking of deviceassociation.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/deviceassociation.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\deviceassociation.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for devicecredential.dll DLL Hijacking id: 2311882b-9395-48a3-4833-5b9ff8413673 status: experimental description: Detects possible DLL hijacking of devicecredential.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/devicecredential.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\devicecredential.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for devicepairing.dll DLL Hijacking id: 7879042b-2897-48a3-6541-5b9ff8260424 status: experimental description: Detects possible DLL hijacking of devicepairing.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/devicepairing.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\devicepairing.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for devobj.dll DLL Hijacking id: 8682072b-9395-48a3-4833-5b9ff8213828 status: experimental description: Detects possible DLL hijacking of devobj.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/devobj.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\devobj.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for devrtl.dll DLL Hijacking id: 9963882b-9395-48a3-4833-5b9ff8275661 status: experimental description: Detects possible DLL hijacking of devrtl.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/devrtl.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\devrtl.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dhcpcmonitor.dll DLL Hijacking id: 9436532b-9395-48a3-4833-5b9ff8729785 status: experimental description: Detects possible DLL hijacking of dhcpcmonitor.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dhcpcmonitor.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dhcpcmonitor.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dhcpcsvc.dll DLL Hijacking id: 5762872b-9395-48a3-4833-5b9ff8822380 status: experimental description: Detects possible DLL hijacking of dhcpcsvc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dhcpcsvc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dhcpcsvc.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dhcpcsvc6.dll DLL Hijacking id: 4765142b-9395-48a3-4833-5b9ff8354004 status: experimental description: Detects possible DLL hijacking of dhcpcsvc6.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dhcpcsvc6.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dhcpcsvc6.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for directmanipulation.dll DLL Hijacking id: 5855902b-3713-48a3-9900-5b9ff8898085 status: experimental description: Detects possible DLL hijacking of directmanipulation.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/directmanipulation.html author: "Wietze Beukema" date: 2022-08-14 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\directmanipulation.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dismapi.dll DLL Hijacking id: 4578092b-9395-48a3-4833-5b9ff8120334 status: experimental description: Detects possible DLL hijacking of dismapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dismapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dismapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dismcore.dll DLL Hijacking id: 6725212b-5805-48a3-6769-5b9ff8788742 status: experimental description: Detects possible DLL hijacking of dismcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dismcore.html author: "Wietze Beukema" date: 2021-02-28 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dismcore.dll' filter: TargetFileName: - 'c:\windows\system32\dism\\*' - 'c:\windows\syswow64\dism\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dmcfgutils.dll DLL Hijacking id: 4315002b-9395-48a3-4833-5b9ff8447004 status: experimental description: Detects possible DLL hijacking of dmcfgutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmcfgutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dmcfgutils.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dmcmnutils.dll DLL Hijacking id: 7101172b-9395-48a3-4833-5b9ff8856627 status: experimental description: Detects possible DLL hijacking of dmcmnutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmcmnutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dmcmnutils.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dmcommandlineutils.dll DLL Hijacking id: 7692222b-7437-48a3-2115-5b9ff8410370 status: experimental description: Detects possible DLL hijacking of dmcommandlineutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmcommandlineutils.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dmcommandlineutils.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dmenrollengine.dll DLL Hijacking id: 2833242b-9395-48a3-4833-5b9ff8631937 status: experimental description: Detects possible DLL hijacking of dmenrollengine.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmenrollengine.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dmenrollengine.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dmenterprisediagnostics.dll DLL Hijacking id: 6398362b-9395-48a3-4833-5b9ff8265899 status: experimental description: Detects possible DLL hijacking of dmenterprisediagnostics.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmenterprisediagnostics.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dmenterprisediagnostics.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dmiso8601utils.dll DLL Hijacking id: 1237532b-9395-48a3-4833-5b9ff8860726 status: experimental description: Detects possible DLL hijacking of dmiso8601utils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmiso8601utils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dmiso8601utils.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dmoleaututils.dll DLL Hijacking id: 2300382b-9395-48a3-4833-5b9ff8409411 status: experimental description: Detects possible DLL hijacking of dmoleaututils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmoleaututils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dmoleaututils.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dmprocessxmlfiltered.dll DLL Hijacking id: 4632912b-9395-48a3-4833-5b9ff8323781 status: experimental description: Detects possible DLL hijacking of dmprocessxmlfiltered.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmprocessxmlfiltered.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dmprocessxmlfiltered.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dmpushproxy.dll DLL Hijacking id: 5175912b-9395-48a3-4833-5b9ff8172848 status: experimental description: Detects possible DLL hijacking of dmpushproxy.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmpushproxy.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dmpushproxy.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dmxmlhelputils.dll DLL Hijacking id: 8575152b-9395-48a3-4833-5b9ff8562376 status: experimental description: Detects possible DLL hijacking of dmxmlhelputils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmxmlhelputils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dmxmlhelputils.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dnsapi.dll DLL Hijacking id: 1569142b-9395-48a3-4833-5b9ff8108668 status: experimental description: Detects possible DLL hijacking of dnsapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dnsapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dnsapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dot3api.dll DLL Hijacking id: 8362962b-9395-48a3-4833-5b9ff8109650 status: experimental description: Detects possible DLL hijacking of dot3api.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dot3api.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dot3api.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dot3cfg.dll DLL Hijacking id: 4314992b-9395-48a3-4833-5b9ff8437609 status: experimental description: Detects possible DLL hijacking of dot3cfg.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dot3cfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dot3cfg.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dpx.dll DLL Hijacking id: 3902172b-9395-48a3-4833-5b9ff8492788 status: experimental description: Detects possible DLL hijacking of dpx.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dpx.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dpx.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for drprov.dll DLL Hijacking id: 9503922b-2897-48a3-6541-5b9ff8288683 status: experimental description: Detects possible DLL hijacking of drprov.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/drprov.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\drprov.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for drvstore.dll DLL Hijacking id: 6411322b-7437-48a3-2115-5b9ff8903981 status: experimental description: Detects possible DLL hijacking of drvstore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/drvstore.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\drvstore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dsclient.dll DLL Hijacking id: 6179272b-9395-48a3-4833-5b9ff8530615 status: experimental description: Detects possible DLL hijacking of dsclient.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dsclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dsclient.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dsparse.dll DLL Hijacking id: 6615072b-9395-48a3-4833-5b9ff8465170 status: experimental description: Detects possible DLL hijacking of dsparse.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dsparse.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dsparse.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dsprop.dll DLL Hijacking id: 1827782b-2028-48a3-1241-5b9ff8874195 status: experimental description: Detects possible DLL hijacking of dsprop.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dsprop.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dsprop.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dsreg.dll DLL Hijacking id: 6792492b-9395-48a3-4833-5b9ff8651445 status: experimental description: Detects possible DLL hijacking of dsreg.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dsreg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dsreg.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dsrole.dll DLL Hijacking id: 9078062b-9395-48a3-4833-5b9ff8546846 status: experimental description: Detects possible DLL hijacking of dsrole.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dsrole.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dsrole.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dui70.dll DLL Hijacking id: 2217052b-9395-48a3-4833-5b9ff8420789 status: experimental description: Detects possible DLL hijacking of dui70.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dui70.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dui70.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for duser.dll DLL Hijacking id: 2328902b-9395-48a3-4833-5b9ff8203981 status: experimental description: Detects possible DLL hijacking of duser.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/duser.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\duser.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dusmapi.dll DLL Hijacking id: 1329852b-9395-48a3-4833-5b9ff8295463 status: experimental description: Detects possible DLL hijacking of dusmapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dusmapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dusmapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dwmapi.dll DLL Hijacking id: 2798412b-9395-48a3-4833-5b9ff8309116 status: experimental description: Detects possible DLL hijacking of dwmapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dwmapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dwmapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dwmcore.dll DLL Hijacking id: 4981432b-9395-48a3-4833-5b9ff8158685 status: experimental description: Detects possible DLL hijacking of dwmcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dwmcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dwmcore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dwrite.dll DLL Hijacking id: 6528592b-9395-48a3-4833-5b9ff8217120 status: experimental description: Detects possible DLL hijacking of dwrite.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dwrite.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dwrite.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dxcore.dll DLL Hijacking id: 8833022b-7437-48a3-2115-5b9ff8124273 status: experimental description: Detects possible DLL hijacking of dxcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dxcore.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dxcore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dxgi.dll DLL Hijacking id: 3010002b-9395-48a3-4833-5b9ff8198142 status: experimental description: Detects possible DLL hijacking of dxgi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dxgi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dxgi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dxva2.dll DLL Hijacking id: 2453842b-9395-48a3-4833-5b9ff8585241 status: experimental description: Detects possible DLL hijacking of dxva2.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dxva2.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dxva2.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dynamoapi.dll DLL Hijacking id: 5174912b-9395-48a3-4833-5b9ff8133347 status: experimental description: Detects possible DLL hijacking of dynamoapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dynamoapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dynamoapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for eappcfg.dll DLL Hijacking id: 6614822b-9395-48a3-4833-5b9ff8230295 status: experimental description: Detects possible DLL hijacking of eappcfg.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/eappcfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\eappcfg.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for eappprxy.dll DLL Hijacking id: 9359382b-9395-48a3-4833-5b9ff8247280 status: experimental description: Detects possible DLL hijacking of eappprxy.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/eappprxy.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\eappprxy.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for edgeiso.dll DLL Hijacking id: 3554482b-7437-48a3-2115-5b9ff8269713 status: experimental description: Detects possible DLL hijacking of edgeiso.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/edgeiso.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\edgeiso.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for edputil.dll DLL Hijacking id: 6856632b-9395-48a3-4833-5b9ff8611042 status: experimental description: Detects possible DLL hijacking of edputil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/edputil.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\edputil.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for efsadu.dll DLL Hijacking id: 9895722b-9395-48a3-4833-5b9ff8139270 status: experimental description: Detects possible DLL hijacking of efsadu.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/efsadu.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\efsadu.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for efsutil.dll DLL Hijacking id: 1016902b-9395-48a3-4833-5b9ff8578611 status: experimental description: Detects possible DLL hijacking of efsutil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/efsutil.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\efsutil.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for esent.dll DLL Hijacking id: 8403012b-9395-48a3-4833-5b9ff8836666 status: experimental description: Detects possible DLL hijacking of esent.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/esent.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\esent.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for execmodelproxy.dll DLL Hijacking id: 3069482b-2897-48a3-6541-5b9ff8129344 status: experimental description: Detects possible DLL hijacking of execmodelproxy.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/execmodelproxy.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\execmodelproxy.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for explorerframe.dll DLL Hijacking id: 6152012b-2897-48a3-6541-5b9ff8339277 status: experimental description: Detects possible DLL hijacking of explorerframe.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/explorerframe.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\explorerframe.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fastprox.dll DLL Hijacking id: 1209542b-2897-48a3-6541-5b9ff8404127 status: experimental description: Detects possible DLL hijacking of fastprox.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fastprox.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fastprox.dll' filter: TargetFileName: - 'c:\windows\system32\wbem\\*' - 'c:\windows\syswow64\wbem\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for faultrep.dll DLL Hijacking id: 4150202b-9395-48a3-4833-5b9ff8417232 status: experimental description: Detects possible DLL hijacking of faultrep.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/faultrep.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\faultrep.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fddevquery.dll DLL Hijacking id: 2032172b-2897-48a3-6541-5b9ff8220303 status: experimental description: Detects possible DLL hijacking of fddevquery.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fddevquery.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fddevquery.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for feclient.dll DLL Hijacking id: 2125072b-9395-48a3-4833-5b9ff8405483 status: experimental description: Detects possible DLL hijacking of feclient.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/feclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\feclient.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fhcfg.dll DLL Hijacking id: 4670022b-2897-48a3-6541-5b9ff8306297 status: experimental description: Detects possible DLL hijacking of fhcfg.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fhcfg.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fhcfg.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fhsvcctl.dll DLL Hijacking id: 8416712b-9395-48a3-4833-5b9ff8207831 status: experimental description: Detects possible DLL hijacking of fhsvcctl.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fhsvcctl.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fhsvcctl.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for firewallapi.dll DLL Hijacking id: 1091482b-9395-48a3-4833-5b9ff8446599 status: experimental description: Detects possible DLL hijacking of firewallapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/firewallapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\firewallapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for flightsettings.dll DLL Hijacking id: 4727242b-2897-48a3-6541-5b9ff8682949 status: experimental description: Detects possible DLL hijacking of flightsettings.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/flightsettings.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\flightsettings.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fltlib.dll DLL Hijacking id: 5167542b-9395-48a3-4833-5b9ff8409224 status: experimental description: Detects possible DLL hijacking of fltlib.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fltlib.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fltlib.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for framedynos.dll DLL Hijacking id: 3078282b-2028-48a3-1241-5b9ff8675877 status: experimental description: Detects possible DLL hijacking of framedynos.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/framedynos.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\framedynos.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fveapi.dll DLL Hijacking id: 5417732b-9395-48a3-4833-5b9ff8562990 status: experimental description: Detects possible DLL hijacking of fveapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fveapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fveapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fveskybackup.dll DLL Hijacking id: 2269372b-2028-48a3-1241-5b9ff8428747 status: experimental description: Detects possible DLL hijacking of fveskybackup.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fveskybackup.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fveskybackup.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fvewiz.dll DLL Hijacking id: 5167582b-2028-48a3-1241-5b9ff8486388 status: experimental description: Detects possible DLL hijacking of fvewiz.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fvewiz.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fvewiz.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fwbase.dll DLL Hijacking id: 2178702b-9395-48a3-4833-5b9ff8390924 status: experimental description: Detects possible DLL hijacking of fwbase.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fwbase.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fwbase.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fwcfg.dll DLL Hijacking id: 3218182b-9395-48a3-4833-5b9ff8483469 status: experimental description: Detects possible DLL hijacking of fwcfg.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fwcfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fwcfg.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fwpolicyiomgr.dll DLL Hijacking id: 1957182b-9395-48a3-4833-5b9ff8172653 status: experimental description: Detects possible DLL hijacking of fwpolicyiomgr.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fwpolicyiomgr.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fwpolicyiomgr.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fwpuclnt.dll DLL Hijacking id: 7259712b-9395-48a3-4833-5b9ff8405123 status: experimental description: Detects possible DLL hijacking of fwpuclnt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fwpuclnt.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fwpuclnt.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fxsapi.dll DLL Hijacking id: 6908812b-9395-48a3-4833-5b9ff8134207 status: experimental description: Detects possible DLL hijacking of fxsapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fxsapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fxsapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\system32\driverstore\filerepository\prnms002.inf_*\amd64\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fxsst.dll DLL Hijacking id: 3970842b-9395-48a3-4833-5b9ff8208325 status: experimental description: Detects possible DLL hijacking of fxsst.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fxsst.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fxsst.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for fxstiff.dll DLL Hijacking id: 3206572b-9395-48a3-4833-5b9ff8375862 status: experimental description: Detects possible DLL hijacking of fxstiff.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fxstiff.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\fxstiff.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\system32\driverstore\filerepository\prnms002.inf_*\amd64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for getuname.dll DLL Hijacking id: 5568752b-9395-48a3-4833-5b9ff8246438 status: experimental description: Detects possible DLL hijacking of getuname.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/getuname.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\getuname.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for gpapi.dll DLL Hijacking id: 9896982b-2028-48a3-1241-5b9ff8209774 status: experimental description: Detects possible DLL hijacking of gpapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/gpapi.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\gpapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for hid.dll DLL Hijacking id: 6846082b-9395-48a3-4833-5b9ff8599306 status: experimental description: Detects possible DLL hijacking of hid.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/hid.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\hid.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for hnetmon.dll DLL Hijacking id: 3471722b-9395-48a3-4833-5b9ff8184564 status: experimental description: Detects possible DLL hijacking of hnetmon.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/hnetmon.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\hnetmon.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for httpapi.dll DLL Hijacking id: 6146262b-9395-48a3-4833-5b9ff8117686 status: experimental description: Detects possible DLL hijacking of httpapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/httpapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\httpapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for icmp.dll DLL Hijacking id: 8888662b-7437-48a3-2115-5b9ff8103787 status: experimental description: Detects possible DLL hijacking of icmp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/icmp.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\icmp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for idstore.dll DLL Hijacking id: 7442222b-2897-48a3-6541-5b9ff8613529 status: experimental description: Detects possible DLL hijacking of idstore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/idstore.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\idstore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ieadvpack.dll DLL Hijacking id: 4836072b-9395-48a3-4833-5b9ff8392813 status: experimental description: Detects possible DLL hijacking of ieadvpack.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ieadvpack.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ieadvpack.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iedkcs32.dll DLL Hijacking id: 1841572b-9395-48a3-4833-5b9ff8456937 status: experimental description: Detects possible DLL hijacking of iedkcs32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iedkcs32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iedkcs32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iernonce.dll DLL Hijacking id: 8055052b-8657-48a3-9976-5b9ff8164533 status: experimental description: Detects possible DLL hijacking of iernonce.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iernonce.html author: "Wietze Beukema" date: 2024-01-11 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iernonce.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iertutil.dll DLL Hijacking id: 9799892b-9395-48a3-4833-5b9ff8106885 status: experimental description: Detects possible DLL hijacking of iertutil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iertutil.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iertutil.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ifmon.dll DLL Hijacking id: 3414862b-9395-48a3-4833-5b9ff8764534 status: experimental description: Detects possible DLL hijacking of ifmon.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ifmon.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ifmon.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ifsutil.dll DLL Hijacking id: 5896392b-2028-48a3-1241-5b9ff8689220 status: experimental description: Detects possible DLL hijacking of ifsutil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ifsutil.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ifsutil.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for inproclogger.dll DLL Hijacking id: 6833742b-9395-48a3-4833-5b9ff8705863 status: experimental description: Detects possible DLL hijacking of inproclogger.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/inproclogger.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\inproclogger.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iphlpapi.dll DLL Hijacking id: 8022122b-9395-48a3-4833-5b9ff8290114 status: experimental description: Detects possible DLL hijacking of iphlpapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iphlpapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iphlpapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iri.dll DLL Hijacking id: 8237042b-9395-48a3-4833-5b9ff8607678 status: experimental description: Detects possible DLL hijacking of iri.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iri.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iri.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iscsidsc.dll DLL Hijacking id: 9216592b-9395-48a3-4833-5b9ff8195926 status: experimental description: Detects possible DLL hijacking of iscsidsc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iscsidsc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iscsidsc.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iscsiexe.dll DLL Hijacking id: 9451792b-9943-48a3-1235-5b9ff8225239 status: experimental description: Detects possible DLL hijacking of iscsiexe.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iscsiexe.html author: "Wietze Beukema" date: 2023-05-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iscsiexe.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iscsium.dll DLL Hijacking id: 4878472b-9395-48a3-4833-5b9ff8627657 status: experimental description: Detects possible DLL hijacking of iscsium.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iscsium.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iscsium.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for isv.exe_rsaenh.dll DLL Hijacking id: 2823562b-2897-48a3-6541-5b9ff8886240 status: experimental description: Detects possible DLL hijacking of isv.exe_rsaenh.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/isv.exe_rsaenh.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\isv.exe_rsaenh.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iumbase.dll DLL Hijacking id: 4934852b-9395-48a3-4833-5b9ff8496726 status: experimental description: Detects possible DLL hijacking of iumbase.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iumbase.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iumbase.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iumsdk.dll DLL Hijacking id: 5717572b-2028-48a3-1241-5b9ff8424484 status: experimental description: Detects possible DLL hijacking of iumsdk.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iumsdk.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iumsdk.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for joinutil.dll DLL Hijacking id: 4591102b-9395-48a3-4833-5b9ff8643242 status: experimental description: Detects possible DLL hijacking of joinutil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/joinutil.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\joinutil.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for kdstub.dll DLL Hijacking id: 5724122b-9395-48a3-4833-5b9ff8416715 status: experimental description: Detects possible DLL hijacking of kdstub.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/kdstub.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\kdstub.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ksuser.dll DLL Hijacking id: 3683682b-9395-48a3-4833-5b9ff8421205 status: experimental description: Detects possible DLL hijacking of ksuser.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ksuser.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ksuser.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ktmw32.dll DLL Hijacking id: 5862132b-9395-48a3-4833-5b9ff8477254 status: experimental description: Detects possible DLL hijacking of ktmw32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ktmw32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ktmw32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for libsmartscreenn.dll DLL Hijacking id: 8778332b-2788-48a3-7807-5b9ff8401123 status: experimental description: Detects possible DLL hijacking of libsmartscreenn.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/libsmartscreenn.html author: "Still Hsu" date: 2025-12-12 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\libsmartscreenn.dll' filter: TargetFileName: - 'c:\program files\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe\\*' - 'c:\program files (x86)\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for licensemanagerapi.dll DLL Hijacking id: 8594652b-9395-48a3-4833-5b9ff8882646 status: experimental description: Detects possible DLL hijacking of licensemanagerapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/licensemanagerapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\licensemanagerapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for licensingdiagspp.dll DLL Hijacking id: 5430352b-2897-48a3-6541-5b9ff8974142 status: experimental description: Detects possible DLL hijacking of licensingdiagspp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/licensingdiagspp.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\licensingdiagspp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for linkinfo.dll DLL Hijacking id: 2001402b-9395-48a3-4833-5b9ff8317389 status: experimental description: Detects possible DLL hijacking of linkinfo.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/linkinfo.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\linkinfo.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for loadperf.dll DLL Hijacking id: 2982232b-9395-48a3-4833-5b9ff8208198 status: experimental description: Detects possible DLL hijacking of loadperf.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/loadperf.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\loadperf.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for lockhostingframework.dll DLL Hijacking id: 5122862b-7437-48a3-2115-5b9ff8275215 status: experimental description: Detects possible DLL hijacking of lockhostingframework.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/lockhostingframework.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\lockhostingframework.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for logoncli.dll DLL Hijacking id: 6980412b-9395-48a3-4833-5b9ff8802481 status: experimental description: Detects possible DLL hijacking of logoncli.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/logoncli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\logoncli.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for logoncontroller.dll DLL Hijacking id: 5806962b-2897-48a3-6541-5b9ff8278181 status: experimental description: Detects possible DLL hijacking of logoncontroller.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/logoncontroller.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\logoncontroller.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for lpksetupproxyserv.dll DLL Hijacking id: 6072272b-2897-48a3-6541-5b9ff8638573 status: experimental description: Detects possible DLL hijacking of lpksetupproxyserv.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/lpksetupproxyserv.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\lpksetupproxyserv.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for lrwizdll.dll DLL Hijacking id: 4952172b-7437-48a3-2115-5b9ff8232921 status: experimental description: Detects possible DLL hijacking of lrwizdll.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/lrwizdll.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\lrwizdll.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for magnification.dll DLL Hijacking id: 2872262b-9395-48a3-4833-5b9ff8391268 status: experimental description: Detects possible DLL hijacking of magnification.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/magnification.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\magnification.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for maintenanceui.dll DLL Hijacking id: 4682162b-9395-48a3-4833-5b9ff8694207 status: experimental description: Detects possible DLL hijacking of maintenanceui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/maintenanceui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\maintenanceui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mapistub.dll DLL Hijacking id: 5726672b-9395-48a3-4833-5b9ff8112443 status: experimental description: Detects possible DLL hijacking of mapistub.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mapistub.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mapistub.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mbaexmlparser.dll DLL Hijacking id: 9687192b-7437-48a3-2115-5b9ff8871207 status: experimental description: Detects possible DLL hijacking of mbaexmlparser.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mbaexmlparser.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mbaexmlparser.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mdmdiagnostics.dll DLL Hijacking id: 4508102b-9395-48a3-4833-5b9ff8964655 status: experimental description: Detects possible DLL hijacking of mdmdiagnostics.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mdmdiagnostics.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mdmdiagnostics.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mfc42u.dll DLL Hijacking id: 6481582b-2028-48a3-1241-5b9ff8565884 status: experimental description: Detects possible DLL hijacking of mfc42u.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mfc42u.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mfc42u.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mfcore.dll DLL Hijacking id: 3688632b-9395-48a3-4833-5b9ff8571735 status: experimental description: Detects possible DLL hijacking of mfcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mfcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mfcore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mfplat.dll DLL Hijacking id: 4567292b-9395-48a3-4833-5b9ff8773722 status: experimental description: Detects possible DLL hijacking of mfplat.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mfplat.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mfplat.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mi.dll DLL Hijacking id: 2438452b-9395-48a3-4833-5b9ff8526320 status: experimental description: Detects possible DLL hijacking of mi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for microsoft.ui.xaml.xamltypeinfo.dll DLL Hijacking id: 3584232b-7740-48a3-2257-5b9ff8497102 status: experimental description: Detects possible DLL hijacking of microsoft.ui.xaml.xamltypeinfo.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/microsoft.ui.xaml.xamltypeinfo.html author: "Wietze Beukema" date: 2023-04-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\microsoft.ui.xaml.xamltypeinfo.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for midimap.dll DLL Hijacking id: 8023582b-9395-48a3-4833-5b9ff8761785 status: experimental description: Detects possible DLL hijacking of midimap.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/midimap.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\midimap.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mintdh.dll DLL Hijacking id: 5785242b-9395-48a3-4833-5b9ff8239019 status: experimental description: Detects possible DLL hijacking of mintdh.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mintdh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mintdh.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for miracastview.dll DLL Hijacking id: 6584332b-8048-48a3-5501-5b9ff8874671 status: experimental description: Detects possible DLL hijacking of miracastview.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/miracastview.html author: "Wietze Beukema" date: 2025-05-24 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\miracastview.dll' filter: TargetFileName: - 'c:\windows\Miracast\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for miutils.dll DLL Hijacking id: 4372052b-9395-48a3-4833-5b9ff8945538 status: experimental description: Detects possible DLL hijacking of miutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/miutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\miutils.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mlang.dll DLL Hijacking id: 7322742b-9395-48a3-4833-5b9ff8221874 status: experimental description: Detects possible DLL hijacking of mlang.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mlang.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mlang.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mmdevapi.dll DLL Hijacking id: 9558472b-9395-48a3-4833-5b9ff8992542 status: experimental description: Detects possible DLL hijacking of mmdevapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mmdevapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mmdevapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mobilenetworking.dll DLL Hijacking id: 9171712b-9395-48a3-4833-5b9ff8331119 status: experimental description: Detects possible DLL hijacking of mobilenetworking.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mobilenetworking.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mobilenetworking.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mpclient.dll DLL Hijacking id: 9533392b-5388-48a3-9769-5b9ff8396239 status: experimental description: Detects possible DLL hijacking of mpclient.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mpclient.html author: "Wietze Beukema" date: 2022-08-01 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mpclient.dll' filter: TargetFileName: - 'c:\program files\Windows Defender\\*' - 'c:\program files (x86)\Windows Defender\\*' - 'c:\programdata\Microsoft\Windows Defender\Platform\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mpr.dll DLL Hijacking id: 9888072b-2897-48a3-6541-5b9ff8877061 status: experimental description: Detects possible DLL hijacking of mpr.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mpr.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mpr.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mprapi.dll DLL Hijacking id: 9799432b-9395-48a3-4833-5b9ff8574714 status: experimental description: Detects possible DLL hijacking of mprapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mprapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mprapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mpsvc.dll DLL Hijacking id: 9492752b-1313-48a3-6160-5b9ff8899459 status: experimental description: Detects possible DLL hijacking of mpsvc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html author: "Wietze Beukema" date: 2021-12-07 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mpsvc.dll' filter: TargetFileName: - 'c:\programdata\Microsoft\Windows Defender\Platform\\*\\*' - 'c:\program files\Windows Defender\\*\\*' - 'c:\program files (x86)\Windows Defender\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mrmcorer.dll DLL Hijacking id: 8933342b-9395-48a3-4833-5b9ff8482255 status: experimental description: Detects possible DLL hijacking of mrmcorer.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mrmcorer.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mrmcorer.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msacm32.dll DLL Hijacking id: 3369642b-9395-48a3-4833-5b9ff8580297 status: experimental description: Detects possible DLL hijacking of msacm32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msacm32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msacm32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msasn1.dll DLL Hijacking id: 5593412b-7568-48a3-5988-5b9ff8497391 status: experimental description: Detects possible DLL hijacking of msasn1.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msasn1.html author: "ice-wzl" date: 2025-04-04 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msasn1.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mscms.dll DLL Hijacking id: 1778042b-9395-48a3-4833-5b9ff8170436 status: experimental description: Detects possible DLL hijacking of mscms.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mscms.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mscms.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mscoree.dll DLL Hijacking id: 4677682b-9395-48a3-4833-5b9ff8985242 status: experimental description: Detects possible DLL hijacking of mscoree.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mscoree.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mscoree.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mscorsvc.dll DLL Hijacking id: 4602002b-4150-48a3-8413-5b9ff8132122 status: experimental description: Detects possible DLL hijacking of mscorsvc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mscorsvc.dll' filter: TargetFileName: - 'c:\windows\Microsoft.NET\Framework\v*\\*' - 'c:\windows\Microsoft.NET\Framework64\v*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msctf.dll DLL Hijacking id: 7893482b-2897-48a3-6541-5b9ff8843696 status: experimental description: Detects possible DLL hijacking of msctf.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msctf.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msctf.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msctfmonitor.dll DLL Hijacking id: 5674012b-9395-48a3-4833-5b9ff8138318 status: experimental description: Detects possible DLL hijacking of msctfmonitor.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msctfmonitor.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msctfmonitor.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msdrm.dll DLL Hijacking id: 5775842b-9395-48a3-4833-5b9ff8407709 status: experimental description: Detects possible DLL hijacking of msdrm.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msdrm.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msdrm.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msdtctm.dll DLL Hijacking id: 4236132b-9395-48a3-4833-5b9ff8148557 status: experimental description: Detects possible DLL hijacking of msdtctm.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msdtctm.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msdtctm.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msedge.dll DLL Hijacking id: 8987612b-6939-48a3-6071-5b9ff8509508 status: experimental description: Detects possible DLL hijacking of msedge.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msedge.html author: "Swachchhanda Shrawan Poudel" date: 2024-07-25 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msedge.dll' filter: TargetFileName: - 'c:\program files\Microsoft\Edge\Application\\*\\*' - 'c:\program files (x86)\Microsoft\Edge\Application\\*\\*' - 'c:\program files\Microsoft\Edgewebview\Application\\*\\*' - 'c:\program files (x86)\Microsoft\Edgewebview\Application\\*\\*' - 'c:\program files\Microsoft\EdgeCore\\*\\*' - 'c:\program files (x86)\Microsoft\EdgeCore\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msedge_elf.dll DLL Hijacking id: 3135232b-6795-48a3-8155-5b9ff8191152 status: experimental description: Detects possible DLL hijacking of msedge_elf.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msedge_elf.html author: "Still Hsu" date: 2024-07-10 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msedge_elf.dll' filter: TargetFileName: - 'c:\program files\Microsoft\Edge\Application\\*\\*' - 'c:\program files (x86)\Microsoft\Edge\Application\\*\\*' - 'c:\program files\Microsoft\EdgeCore\\*\\*' - 'c:\program files (x86)\Microsoft\EdgeCore\\*\\*' - 'c:\program files\Microsoft\EdgeWebView\\*\\*' - 'c:\program files (x86)\Microsoft\EdgeWebView\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msedgeupdate.dll DLL Hijacking id: 9488222b-6363-48a3-2268-5b9ff8261094 status: experimental description: Detects possible DLL hijacking of msedgeupdate.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msedgeupdate.html author: "Still Hsu" date: 2024-05-26 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msedgeupdate.dll' filter: TargetFileName: - 'c:\program files\Microsoft\EdgeUpdate\\*\\*' - 'c:\program files (x86)\Microsoft\EdgeUpdate\\*\\*' - 'c:\program files\Microsoft\Temp\\*\\*' - 'c:\program files (x86)\Microsoft\Temp\\*\\*' - 'c:\users\\*\appdata\local\Microsoft\EdgeUpdate\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msftedit.dll DLL Hijacking id: 4461592b-9395-48a3-4833-5b9ff8468462 status: experimental description: Detects possible DLL hijacking of msftedit.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msftedit.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msftedit.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msi.dll DLL Hijacking id: 7601442b-9395-48a3-4833-5b9ff8160815 status: experimental description: Detects possible DLL hijacking of msi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msiso.dll DLL Hijacking id: 4875422b-2028-48a3-1241-5b9ff8636274 status: experimental description: Detects possible DLL hijacking of msiso.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msiso.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msiso.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mstracer.dll DLL Hijacking id: 2382212b-6722-48a3-2305-5b9ff8323341 status: experimental description: Detects possible DLL hijacking of mstracer.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mstracer.html author: "Wietze Beukema" date: 2021-12-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mstracer.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msutb.dll DLL Hijacking id: 5880292b-9395-48a3-4833-5b9ff8438593 status: experimental description: Detects possible DLL hijacking of msutb.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msutb.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msutb.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msvcp110_win.dll DLL Hijacking id: 6028652b-2028-48a3-1241-5b9ff8511578 status: experimental description: Detects possible DLL hijacking of msvcp110_win.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msvcp110_win.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msvcp110_win.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msvcp140.dll DLL Hijacking id: 3432362b-3119-48a3-1242-5b9ff8554273 status: experimental description: Detects possible DLL hijacking of msvcp140.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msvcp140.html author: "Swachchhanda Shrawan Poudel" date: 2025-07-12 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msvcp140.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\program files\\*' - 'c:\program files (x86)\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msvcr100.dll DLL Hijacking id: 9408692b-2326-48a3-2877-5b9ff8663725 status: experimental description: Detects possible DLL hijacking of msvcr100.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msvcr100.html author: "Wietze Beukema" date: 2022-09-26 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msvcr100.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mswb7.dll DLL Hijacking id: 7172102b-2897-48a3-6541-5b9ff8659678 status: experimental description: Detects possible DLL hijacking of mswb7.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mswb7.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mswb7.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mswsock.dll DLL Hijacking id: 1980312b-2897-48a3-6541-5b9ff8496444 status: experimental description: Detects possible DLL hijacking of mswsock.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mswsock.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mswsock.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msxml3.dll DLL Hijacking id: 8921942b-2897-48a3-6541-5b9ff8888889 status: experimental description: Detects possible DLL hijacking of msxml3.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msxml3.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msxml3.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mtxclu.dll DLL Hijacking id: 4477142b-9395-48a3-4833-5b9ff8677703 status: experimental description: Detects possible DLL hijacking of mtxclu.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mtxclu.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mtxclu.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for napinsp.dll DLL Hijacking id: 9038112b-2897-48a3-6541-5b9ff8343376 status: experimental description: Detects possible DLL hijacking of napinsp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/napinsp.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\napinsp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ncrypt.dll DLL Hijacking id: 8195022b-2897-48a3-6541-5b9ff8899931 status: experimental description: Detects possible DLL hijacking of ncrypt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ncrypt.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ncrypt.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ndfapi.dll DLL Hijacking id: 6612642b-9395-48a3-4833-5b9ff8882182 status: experimental description: Detects possible DLL hijacking of ndfapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ndfapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ndfapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for netapi32.dll DLL Hijacking id: 2953082b-2028-48a3-1241-5b9ff8485289 status: experimental description: Detects possible DLL hijacking of netapi32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netapi32.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\netapi32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for netid.dll DLL Hijacking id: 5323452b-9395-48a3-4833-5b9ff8186832 status: experimental description: Detects possible DLL hijacking of netid.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netid.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\netid.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for netiohlp.dll DLL Hijacking id: 8644652b-9395-48a3-4833-5b9ff8157699 status: experimental description: Detects possible DLL hijacking of netiohlp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netiohlp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\netiohlp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for netjoin.dll DLL Hijacking id: 4164142b-7437-48a3-2115-5b9ff8974358 status: experimental description: Detects possible DLL hijacking of netjoin.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netjoin.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\netjoin.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for netplwiz.dll DLL Hijacking id: 7258322b-9395-48a3-4833-5b9ff8899216 status: experimental description: Detects possible DLL hijacking of netplwiz.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netplwiz.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\netplwiz.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for netprofm.dll DLL Hijacking id: 8642452b-2897-48a3-6541-5b9ff8920546 status: experimental description: Detects possible DLL hijacking of netprofm.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netprofm.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\netprofm.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for netprovfw.dll DLL Hijacking id: 2882372b-2028-48a3-1241-5b9ff8545285 status: experimental description: Detects possible DLL hijacking of netprovfw.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netprovfw.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\netprovfw.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for netsetupapi.dll DLL Hijacking id: 4746272b-2897-48a3-6541-5b9ff8795946 status: experimental description: Detects possible DLL hijacking of netsetupapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netsetupapi.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\netsetupapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for netshell.dll DLL Hijacking id: 5892862b-9395-48a3-4833-5b9ff8548121 status: experimental description: Detects possible DLL hijacking of netshell.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netshell.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\netshell.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for nettrace.dll DLL Hijacking id: 8579312b-9395-48a3-4833-5b9ff8870700 status: experimental description: Detects possible DLL hijacking of nettrace.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nettrace.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\nettrace.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for netutils.dll DLL Hijacking id: 8141062b-9395-48a3-4833-5b9ff8434368 status: experimental description: Detects possible DLL hijacking of netutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\netutils.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for networkexplorer.dll DLL Hijacking id: 3761742b-2897-48a3-6541-5b9ff8877288 status: experimental description: Detects possible DLL hijacking of networkexplorer.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/networkexplorer.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\networkexplorer.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for newdev.dll DLL Hijacking id: 2481972b-9395-48a3-4833-5b9ff8913405 status: experimental description: Detects possible DLL hijacking of newdev.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/newdev.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\newdev.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ninput.dll DLL Hijacking id: 5562332b-9395-48a3-4833-5b9ff8514841 status: experimental description: Detects possible DLL hijacking of ninput.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ninput.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ninput.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for nlaapi.dll DLL Hijacking id: 4359562b-9395-48a3-4833-5b9ff8911170 status: experimental description: Detects possible DLL hijacking of nlaapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nlaapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\nlaapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for nlansp_c.dll DLL Hijacking id: 6274252b-2897-48a3-6541-5b9ff8652244 status: experimental description: Detects possible DLL hijacking of nlansp_c.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nlansp_c.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\nlansp_c.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for npmproxy.dll DLL Hijacking id: 4779592b-2897-48a3-6541-5b9ff8548761 status: experimental description: Detects possible DLL hijacking of npmproxy.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/npmproxy.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\npmproxy.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for nshhttp.dll DLL Hijacking id: 7933992b-9395-48a3-4833-5b9ff8291887 status: experimental description: Detects possible DLL hijacking of nshhttp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nshhttp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\nshhttp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for nshipsec.dll DLL Hijacking id: 4129422b-9395-48a3-4833-5b9ff8694400 status: experimental description: Detects possible DLL hijacking of nshipsec.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nshipsec.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\nshipsec.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for nshwfp.dll DLL Hijacking id: 6132852b-9395-48a3-4833-5b9ff8118977 status: experimental description: Detects possible DLL hijacking of nshwfp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nshwfp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\nshwfp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ntdsapi.dll DLL Hijacking id: 2314552b-9395-48a3-4833-5b9ff8222141 status: experimental description: Detects possible DLL hijacking of ntdsapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ntdsapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ntdsapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ntlanman.dll DLL Hijacking id: 2754312b-2897-48a3-6541-5b9ff8624493 status: experimental description: Detects possible DLL hijacking of ntlanman.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ntlanman.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ntlanman.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ntlmshared.dll DLL Hijacking id: 5500122b-9395-48a3-4833-5b9ff8568481 status: experimental description: Detects possible DLL hijacking of ntlmshared.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ntlmshared.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ntlmshared.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ntmarta.dll DLL Hijacking id: 5456732b-3713-48a3-9900-5b9ff8286100 status: experimental description: Detects possible DLL hijacking of ntmarta.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ntmarta.html author: "Wietze Beukema" date: 2022-08-14 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ntmarta.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ntprint.dll DLL Hijacking id: 1969622b-7194-48a3-1387-5b9ff8446202 status: experimental description: Detects possible DLL hijacking of ntprint.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ntprint.html author: "SanSan" date: 2026-03-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ntprint.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ntshrui.dll DLL Hijacking id: 7303342b-2897-48a3-6541-5b9ff8879948 status: experimental description: Detects possible DLL hijacking of ntshrui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ntshrui.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ntshrui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for oci.dll DLL Hijacking id: 4360572b-4908-48a3-8140-5b9ff8970133 status: experimental description: Detects possible DLL hijacking of oci.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/oci.html author: "Wietze Beukema" date: 2022-06-12 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\oci.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for offdmpsvc.dll DLL Hijacking id: 1236342b-2879-48a3-1562-5b9ff8542681 status: experimental description: Detects possible DLL hijacking of offdmpsvc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/offdmpsvc.html author: "Swachchhanda Shrawan Poudel" date: 2025-06-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\offdmpsvc.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for oleacc.dll DLL Hijacking id: 4926792b-9395-48a3-4833-5b9ff8124348 status: experimental description: Detects possible DLL hijacking of oleacc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/oleacc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\oleacc.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for omadmapi.dll DLL Hijacking id: 8004202b-9395-48a3-4833-5b9ff8554255 status: experimental description: Detects possible DLL hijacking of omadmapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/omadmapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\omadmapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for onex.dll DLL Hijacking id: 6495402b-9395-48a3-4833-5b9ff8535080 status: experimental description: Detects possible DLL hijacking of onex.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/onex.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\onex.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for opcservices.dll DLL Hijacking id: 7156182b-7437-48a3-2115-5b9ff8456979 status: experimental description: Detects possible DLL hijacking of opcservices.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/opcservices.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\opcservices.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for osbaseln.dll DLL Hijacking id: 4838062b-9395-48a3-4833-5b9ff8462420 status: experimental description: Detects possible DLL hijacking of osbaseln.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/osbaseln.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\osbaseln.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for osksupport.dll DLL Hijacking id: 3923772b-9395-48a3-4833-5b9ff8986010 status: experimental description: Detects possible DLL hijacking of osksupport.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/osksupport.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\osksupport.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for osuninst.dll DLL Hijacking id: 1994012b-9395-48a3-4833-5b9ff8574476 status: experimental description: Detects possible DLL hijacking of osuninst.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/osuninst.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\osuninst.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for p2p.dll DLL Hijacking id: 1363062b-9395-48a3-4833-5b9ff8896292 status: experimental description: Detects possible DLL hijacking of p2p.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/p2p.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\p2p.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for p2pnetsh.dll DLL Hijacking id: 9775132b-9395-48a3-4833-5b9ff8244839 status: experimental description: Detects possible DLL hijacking of p2pnetsh.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/p2pnetsh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\p2pnetsh.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for p9np.dll DLL Hijacking id: 7018842b-2897-48a3-6541-5b9ff8360207 status: experimental description: Detects possible DLL hijacking of p9np.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/p9np.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\p9np.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for pcaui.dll DLL Hijacking id: 8818922b-9395-48a3-4833-5b9ff8984545 status: experimental description: Detects possible DLL hijacking of pcaui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/pcaui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\pcaui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for pdh.dll DLL Hijacking id: 1939332b-9395-48a3-4833-5b9ff8502559 status: experimental description: Detects possible DLL hijacking of pdh.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/pdh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\pdh.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for peerdistsh.dll DLL Hijacking id: 3482932b-9395-48a3-4833-5b9ff8816370 status: experimental description: Detects possible DLL hijacking of peerdistsh.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/peerdistsh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\peerdistsh.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for pkeyhelper.dll DLL Hijacking id: 1205472b-7437-48a3-2115-5b9ff8209035 status: experimental description: Detects possible DLL hijacking of pkeyhelper.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/pkeyhelper.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\pkeyhelper.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for pla.dll DLL Hijacking id: 2941912b-2897-48a3-6541-5b9ff8972273 status: experimental description: Detects possible DLL hijacking of pla.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/pla.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\pla.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for playsndsrv.dll DLL Hijacking id: 8132182b-7437-48a3-2115-5b9ff8908985 status: experimental description: Detects possible DLL hijacking of playsndsrv.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/playsndsrv.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\playsndsrv.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for pnrpnsp.dll DLL Hijacking id: 6771032b-2897-48a3-6541-5b9ff8569570 status: experimental description: Detects possible DLL hijacking of pnrpnsp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/pnrpnsp.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\pnrpnsp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for policymanager.dll DLL Hijacking id: 7392462b-9395-48a3-4833-5b9ff8923886 status: experimental description: Detects possible DLL hijacking of policymanager.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/policymanager.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\policymanager.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for polstore.dll DLL Hijacking id: 1956832b-9395-48a3-4833-5b9ff8743827 status: experimental description: Detects possible DLL hijacking of polstore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/polstore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\polstore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for powrprof.dll DLL Hijacking id: 1716072b-2028-48a3-1241-5b9ff8719382 status: experimental description: Detects possible DLL hijacking of powrprof.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/powrprof.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\powrprof.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for printui.dll DLL Hijacking id: 3384162b-9395-48a3-4833-5b9ff8721852 status: experimental description: Detects possible DLL hijacking of printui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/printui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\printui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for prntvpt.dll DLL Hijacking id: 4968092b-7437-48a3-2115-5b9ff8372638 status: experimental description: Detects possible DLL hijacking of prntvpt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/prntvpt.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\prntvpt.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for profapi.dll DLL Hijacking id: 3508432b-2028-48a3-1241-5b9ff8610394 status: experimental description: Detects possible DLL hijacking of profapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/profapi.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\profapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for propsys.dll DLL Hijacking id: 8128112b-9395-48a3-4833-5b9ff8867829 status: experimental description: Detects possible DLL hijacking of propsys.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/propsys.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\propsys.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for proximitycommon.dll DLL Hijacking id: 5439992b-7437-48a3-2115-5b9ff8325058 status: experimental description: Detects possible DLL hijacking of proximitycommon.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/proximitycommon.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\proximitycommon.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for proximityservicepal.dll DLL Hijacking id: 9554352b-7437-48a3-2115-5b9ff8177990 status: experimental description: Detects possible DLL hijacking of proximityservicepal.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/proximityservicepal.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\proximityservicepal.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for prvdmofcomp.dll DLL Hijacking id: 5225472b-9395-48a3-4833-5b9ff8834519 status: experimental description: Detects possible DLL hijacking of prvdmofcomp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/prvdmofcomp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\prvdmofcomp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for puiapi.dll DLL Hijacking id: 7492782b-9395-48a3-4833-5b9ff8674631 status: experimental description: Detects possible DLL hijacking of puiapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/puiapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\puiapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for radcui.dll DLL Hijacking id: 3291592b-9395-48a3-4833-5b9ff8152241 status: experimental description: Detects possible DLL hijacking of radcui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/radcui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\radcui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rasapi32.dll DLL Hijacking id: 7029572b-9395-48a3-4833-5b9ff8188353 status: experimental description: Detects possible DLL hijacking of rasapi32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rasapi32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rasapi32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rasdlg.dll DLL Hijacking id: 5824042b-7437-48a3-2115-5b9ff8643360 status: experimental description: Detects possible DLL hijacking of rasdlg.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rasdlg.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rasdlg.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rasgcw.dll DLL Hijacking id: 1106252b-2897-48a3-6541-5b9ff8180981 status: experimental description: Detects possible DLL hijacking of rasgcw.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rasgcw.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rasgcw.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rasman.dll DLL Hijacking id: 9185722b-9395-48a3-4833-5b9ff8893528 status: experimental description: Detects possible DLL hijacking of rasman.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rasman.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rasman.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rasmontr.dll DLL Hijacking id: 4755462b-9395-48a3-4833-5b9ff8259634 status: experimental description: Detects possible DLL hijacking of rasmontr.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rasmontr.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rasmontr.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for reagent.dll DLL Hijacking id: 1644152b-9395-48a3-4833-5b9ff8380641 status: experimental description: Detects possible DLL hijacking of reagent.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/reagent.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\reagent.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for regapi.dll DLL Hijacking id: 4345612b-9395-48a3-4833-5b9ff8405131 status: experimental description: Detects possible DLL hijacking of regapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/regapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\regapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for reseteng.dll DLL Hijacking id: 3058012b-9395-48a3-4833-5b9ff8303587 status: experimental description: Detects possible DLL hijacking of reseteng.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/reseteng.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\reseteng.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for resetengine.dll DLL Hijacking id: 9661542b-9395-48a3-4833-5b9ff8626915 status: experimental description: Detects possible DLL hijacking of resetengine.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/resetengine.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\resetengine.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for resutils.dll DLL Hijacking id: 8394752b-9395-48a3-4833-5b9ff8276388 status: experimental description: Detects possible DLL hijacking of resutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/resutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\resutils.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rjvplatform.dll DLL Hijacking id: 6261942b-5254-48a3-5583-5b9ff8626931 status: experimental description: Detects possible DLL hijacking of rjvplatform.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rjvplatform.html author: "Wietze Beukema" date: 2023-07-28 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rjvplatform.dll' filter: TargetFileName: - 'c:\windows\system32\SystemResetPlatform\\*' - 'c:\windows\syswow64\SystemResetPlatform\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rmclient.dll DLL Hijacking id: 6915862b-9395-48a3-4833-5b9ff8457689 status: experimental description: Detects possible DLL hijacking of rmclient.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rmclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rmclient.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rpcnsh.dll DLL Hijacking id: 3369512b-9395-48a3-4833-5b9ff8458162 status: experimental description: Detects possible DLL hijacking of rpcnsh.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rpcnsh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rpcnsh.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rsaenh.dll DLL Hijacking id: 3648982b-2897-48a3-6541-5b9ff8610680 status: experimental description: Detects possible DLL hijacking of rsaenh.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rsaenh.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rsaenh.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rtutils.dll DLL Hijacking id: 6944612b-9395-48a3-4833-5b9ff8468344 status: experimental description: Detects possible DLL hijacking of rtutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rtutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rtutils.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rtworkq.dll DLL Hijacking id: 4188042b-9395-48a3-4833-5b9ff8867951 status: experimental description: Detects possible DLL hijacking of rtworkq.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rtworkq.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rtworkq.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for samcli.dll DLL Hijacking id: 4075962b-9395-48a3-4833-5b9ff8868674 status: experimental description: Detects possible DLL hijacking of samcli.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/samcli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\samcli.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for samlib.dll DLL Hijacking id: 4466812b-9395-48a3-4833-5b9ff8872657 status: experimental description: Detects possible DLL hijacking of samlib.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/samlib.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\samlib.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for sapi_onecore.dll DLL Hijacking id: 5228502b-2897-48a3-6541-5b9ff8998132 status: experimental description: Detects possible DLL hijacking of sapi_onecore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sapi_onecore.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\sapi_onecore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for sas.dll DLL Hijacking id: 2951922b-9395-48a3-4833-5b9ff8531921 status: experimental description: Detects possible DLL hijacking of sas.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sas.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\sas.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for scansetting.dll DLL Hijacking id: 4223442b-9395-48a3-4833-5b9ff8826288 status: experimental description: Detects possible DLL hijacking of scansetting.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/scansetting.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\scansetting.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for scecli.dll DLL Hijacking id: 1109172b-9395-48a3-4833-5b9ff8866372 status: experimental description: Detects possible DLL hijacking of scecli.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/scecli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\scecli.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for schedcli.dll DLL Hijacking id: 5125292b-9395-48a3-4833-5b9ff8315305 status: experimental description: Detects possible DLL hijacking of schedcli.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/schedcli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\schedcli.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for secur32.dll DLL Hijacking id: 2562372b-9395-48a3-4833-5b9ff8849289 status: experimental description: Detects possible DLL hijacking of secur32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/secur32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\secur32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for security.dll DLL Hijacking id: 6494952b-7437-48a3-2115-5b9ff8999681 status: experimental description: Detects possible DLL hijacking of security.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/security.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\security.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for sensapi.dll DLL Hijacking id: 6628912b-8844-48a3-7027-5b9ff8114518 status: experimental description: Detects possible DLL hijacking of sensapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sensapi.html author: "Wietze Beukema" date: 2023-07-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\sensapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for shell32.dll DLL Hijacking id: 6437562b-2897-48a3-6541-5b9ff8263204 status: experimental description: Detects possible DLL hijacking of shell32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/shell32.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\shell32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for shellchromeapi.dll DLL Hijacking id: 8858352b-5254-48a3-5583-5b9ff8382261 status: experimental description: Detects possible DLL hijacking of shellchromeapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/shellchromeapi.html author: "Wietze Beukema" date: 2023-07-28 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\shellchromeapi.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for slc.dll DLL Hijacking id: 1700062b-9395-48a3-4833-5b9ff8708144 status: experimental description: Detects possible DLL hijacking of slc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/slc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\slc.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for snmpapi.dll DLL Hijacking id: 1126332b-9395-48a3-4833-5b9ff8788210 status: experimental description: Detects possible DLL hijacking of snmpapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/snmpapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\snmpapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for spectrumsyncclient.dll DLL Hijacking id: 8397122b-9395-48a3-4833-5b9ff8703005 status: experimental description: Detects possible DLL hijacking of spectrumsyncclient.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/spectrumsyncclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\spectrumsyncclient.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for spp.dll DLL Hijacking id: 9165162b-9395-48a3-4833-5b9ff8477387 status: experimental description: Detects possible DLL hijacking of spp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/spp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\spp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for sppc.dll DLL Hijacking id: 9555992b-9395-48a3-4833-5b9ff8462580 status: experimental description: Detects possible DLL hijacking of sppc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sppc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\sppc.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for sppcext.dll DLL Hijacking id: 7163082b-7437-48a3-2115-5b9ff8188515 status: experimental description: Detects possible DLL hijacking of sppcext.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sppcext.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\sppcext.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for srclient.dll DLL Hijacking id: 3470372b-9395-48a3-4833-5b9ff8716237 status: experimental description: Detects possible DLL hijacking of srclient.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/srclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\srclient.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for srcore.dll DLL Hijacking id: 2458002b-9395-48a3-4833-5b9ff8893565 status: experimental description: Detects possible DLL hijacking of srcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/srcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\srcore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for srmtrace.dll DLL Hijacking id: 2335272b-2028-48a3-1241-5b9ff8293282 status: experimental description: Detects possible DLL hijacking of srmtrace.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/srmtrace.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\srmtrace.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for srpapi.dll DLL Hijacking id: 6353942b-9395-48a3-4833-5b9ff8833262 status: experimental description: Detects possible DLL hijacking of srpapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/srpapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\srpapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for srvcli.dll DLL Hijacking id: 4595202b-9395-48a3-4833-5b9ff8895196 status: experimental description: Detects possible DLL hijacking of srvcli.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/srvcli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\srvcli.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ssp.exe_rsaenh.dll DLL Hijacking id: 5591742b-2897-48a3-6541-5b9ff8928877 status: experimental description: Detects possible DLL hijacking of ssp.exe_rsaenh.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ssp.exe_rsaenh.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ssp.exe_rsaenh.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ssp_isv.exe_rsaenh.dll DLL Hijacking id: 1836522b-2897-48a3-6541-5b9ff8240435 status: experimental description: Detects possible DLL hijacking of ssp_isv.exe_rsaenh.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ssp_isv.exe_rsaenh.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ssp_isv.exe_rsaenh.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for sspicli.dll DLL Hijacking id: 7913462b-9395-48a3-4833-5b9ff8803930 status: experimental description: Detects possible DLL hijacking of sspicli.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sspicli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\sspicli.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ssshim.dll DLL Hijacking id: 6777392b-5805-48a3-6769-5b9ff8479266 status: experimental description: Detects possible DLL hijacking of ssshim.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ssshim.html author: "Wietze Beukema" date: 2021-02-28 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ssshim.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for staterepository.core.dll DLL Hijacking id: 7769312b-9395-48a3-4833-5b9ff8374855 status: experimental description: Detects possible DLL hijacking of staterepository.core.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/staterepository.core.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\staterepository.core.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for sti.dll DLL Hijacking id: 8742072b-9766-48a3-4354-5b9ff8215048 status: experimental description: Detects possible DLL hijacking of sti.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sti.html author: "Tim Baker" date: 2024-11-09 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\sti.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for structuredquery.dll DLL Hijacking id: 8569672b-2897-48a3-6541-5b9ff8536157 status: experimental description: Detects possible DLL hijacking of structuredquery.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/structuredquery.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\structuredquery.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for sxshared.dll DLL Hijacking id: 7270662b-9395-48a3-4833-5b9ff8792659 status: experimental description: Detects possible DLL hijacking of sxshared.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sxshared.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\sxshared.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for systemsettingsthresholdadminflowui.dll DLL Hijacking id: 7999812b-9395-48a3-4833-5b9ff8929845 status: experimental description: Detects possible DLL hijacking of systemsettingsthresholdadminflowui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/systemsettingsthresholdadminflowui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\systemsettingsthresholdadminflowui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tapi32.dll DLL Hijacking id: 7408932b-9395-48a3-4833-5b9ff8197469 status: experimental description: Detects possible DLL hijacking of tapi32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tapi32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tapi32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tbs.dll DLL Hijacking id: 7534322b-9395-48a3-4833-5b9ff8101505 status: experimental description: Detects possible DLL hijacking of tbs.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tbs.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tbs.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tdh.dll DLL Hijacking id: 5605772b-9395-48a3-4833-5b9ff8826766 status: experimental description: Detects possible DLL hijacking of tdh.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tdh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tdh.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for textshaping.dll DLL Hijacking id: 3832042b-2811-48a3-1599-5b9ff8887640 status: experimental description: Detects possible DLL hijacking of textshaping.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/textshaping.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\textshaping.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for timesync.dll DLL Hijacking id: 2549442b-9395-48a3-4833-5b9ff8401541 status: experimental description: Detects possible DLL hijacking of timesync.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/timesync.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\timesync.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tpmcoreprovisioning.dll DLL Hijacking id: 3136372b-7437-48a3-2115-5b9ff8720960 status: experimental description: Detects possible DLL hijacking of tpmcoreprovisioning.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tpmcoreprovisioning.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tpmcoreprovisioning.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tquery.dll DLL Hijacking id: 3854912b-9395-48a3-4833-5b9ff8191969 status: experimental description: Detects possible DLL hijacking of tquery.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tquery.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tquery.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tsmsisrv.dll DLL Hijacking id: 1524792b-3647-48a3-1087-5b9ff8891530 status: experimental description: Detects possible DLL hijacking of tsmsisrv.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tsmsisrv.html author: "Swachchhanda Shrawan Poudel" date: 2025-09-05 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tsmsisrv.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tsvipsrv.dll DLL Hijacking id: 9320322b-3647-48a3-1087-5b9ff8824480 status: experimental description: Detects possible DLL hijacking of tsvipsrv.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tsvipsrv.html author: "Swachchhanda Shrawan Poudel" date: 2025-09-05 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tsvipsrv.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tsworkspace.dll DLL Hijacking id: 1496792b-9395-48a3-4833-5b9ff8535767 status: experimental description: Detects possible DLL hijacking of tsworkspace.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tsworkspace.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tsworkspace.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ttdrecord.dll DLL Hijacking id: 2046362b-9395-48a3-4833-5b9ff8257356 status: experimental description: Detects possible DLL hijacking of ttdrecord.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ttdrecord.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ttdrecord.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for twext.dll DLL Hijacking id: 4520372b-2897-48a3-6541-5b9ff8152644 status: experimental description: Detects possible DLL hijacking of twext.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/twext.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\twext.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for twinapi.dll DLL Hijacking id: 7311062b-2897-48a3-6541-5b9ff8416435 status: experimental description: Detects possible DLL hijacking of twinapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/twinapi.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\twinapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for twinui.appcore.dll DLL Hijacking id: 5172902b-2897-48a3-6541-5b9ff8190795 status: experimental description: Detects possible DLL hijacking of twinui.appcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/twinui.appcore.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\twinui.appcore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for uianimation.dll DLL Hijacking id: 5746352b-2897-48a3-6541-5b9ff8719444 status: experimental description: Detects possible DLL hijacking of uianimation.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uianimation.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\uianimation.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for uiautomationcore.dll DLL Hijacking id: 7937292b-9395-48a3-4833-5b9ff8692240 status: experimental description: Detects possible DLL hijacking of uiautomationcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uiautomationcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\uiautomationcore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for uireng.dll DLL Hijacking id: 3807692b-9395-48a3-4833-5b9ff8828729 status: experimental description: Detects possible DLL hijacking of uireng.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uireng.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\uireng.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for uiribbon.dll DLL Hijacking id: 8242812b-2897-48a3-6541-5b9ff8344710 status: experimental description: Detects possible DLL hijacking of uiribbon.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uiribbon.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\uiribbon.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for umpdc.dll DLL Hijacking id: 2716602b-2028-48a3-1241-5b9ff8227092 status: experimental description: Detects possible DLL hijacking of umpdc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/umpdc.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\umpdc.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for unattend.dll DLL Hijacking id: 2167992b-7437-48a3-2115-5b9ff8535954 status: experimental description: Detects possible DLL hijacking of unattend.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/unattend.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\unattend.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for updatepolicy.dll DLL Hijacking id: 4486712b-9395-48a3-4833-5b9ff8668728 status: experimental description: Detects possible DLL hijacking of updatepolicy.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/updatepolicy.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\updatepolicy.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for upshared.dll DLL Hijacking id: 7075412b-9395-48a3-4833-5b9ff8955080 status: experimental description: Detects possible DLL hijacking of upshared.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/upshared.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\upshared.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for urlmon.dll DLL Hijacking id: 6609802b-2028-48a3-1241-5b9ff8468929 status: experimental description: Detects possible DLL hijacking of urlmon.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/urlmon.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\urlmon.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for userenv.dll DLL Hijacking id: 7304502b-9395-48a3-4833-5b9ff8185375 status: experimental description: Detects possible DLL hijacking of userenv.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/userenv.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\userenv.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for utildll.dll DLL Hijacking id: 3349102b-9395-48a3-4833-5b9ff8182946 status: experimental description: Detects possible DLL hijacking of utildll.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/utildll.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\utildll.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for uxinit.dll DLL Hijacking id: 2732532b-9395-48a3-4833-5b9ff8514787 status: experimental description: Detects possible DLL hijacking of uxinit.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uxinit.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\uxinit.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for uxtheme.dll DLL Hijacking id: 9735282b-9395-48a3-4833-5b9ff8605722 status: experimental description: Detects possible DLL hijacking of uxtheme.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uxtheme.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\uxtheme.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vaultcli.dll DLL Hijacking id: 9577412b-9395-48a3-4833-5b9ff8786692 status: experimental description: Detects possible DLL hijacking of vaultcli.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/vaultcli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vaultcli.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vcruntime140.dll DLL Hijacking id: 1697282b-3028-48a3-8802-5b9ff8136955 status: experimental description: Detects possible DLL hijacking of vcruntime140.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/vcruntime140.html author: "Swachchhanda Shrawan Poudel" date: 2026-01-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vcruntime140.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vdsutil.dll DLL Hijacking id: 6376582b-7437-48a3-2115-5b9ff8267815 status: experimental description: Detects possible DLL hijacking of vdsutil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/vdsutil.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vdsutil.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for version.dll DLL Hijacking id: 5631172b-2028-48a3-1241-5b9ff8902544 status: experimental description: Detects possible DLL hijacking of version.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/version.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\version.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for virtdisk.dll DLL Hijacking id: 2085832b-9395-48a3-4833-5b9ff8439462 status: experimental description: Detects possible DLL hijacking of virtdisk.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/virtdisk.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\virtdisk.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vssapi.dll DLL Hijacking id: 8504662b-9395-48a3-4833-5b9ff8936947 status: experimental description: Detects possible DLL hijacking of vssapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/vssapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vssapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for vsstrace.dll DLL Hijacking id: 2030142b-9395-48a3-4833-5b9ff8318649 status: experimental description: Detects possible DLL hijacking of vsstrace.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/vsstrace.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\vsstrace.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wbemcomn.dll DLL Hijacking id: 3394112b-8283-48a3-9712-5b9ff8744436 status: experimental description: Detects possible DLL hijacking of wbemcomn.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wbemcomn.html author: "v1stra" date: 2024-12-12 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wbemcomn.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wbemprox.dll DLL Hijacking id: 5104702b-2897-48a3-6541-5b9ff8233233 status: experimental description: Detects possible DLL hijacking of wbemprox.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wbemprox.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wbemprox.dll' filter: TargetFileName: - 'c:\windows\system32\wbem\\*' - 'c:\windows\syswow64\wbem\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wbemsvc.dll DLL Hijacking id: 6612902b-2897-48a3-6541-5b9ff8659258 status: experimental description: Detects possible DLL hijacking of wbemsvc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wbemsvc.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wbemsvc.dll' filter: TargetFileName: - 'c:\windows\system32\wbem\\*' - 'c:\windows\syswow64\wbem\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wcmapi.dll DLL Hijacking id: 6058972b-9395-48a3-4833-5b9ff8908639 status: experimental description: Detects possible DLL hijacking of wcmapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wcmapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wcmapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wcnnetsh.dll DLL Hijacking id: 4601442b-9395-48a3-4833-5b9ff8457683 status: experimental description: Detects possible DLL hijacking of wcnnetsh.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wcnnetsh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wcnnetsh.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wdi.dll DLL Hijacking id: 5329262b-9395-48a3-4833-5b9ff8245333 status: experimental description: Detects possible DLL hijacking of wdi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wdi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wdi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wdscore.dll DLL Hijacking id: 1535942b-9395-48a3-4833-5b9ff8417233 status: experimental description: Detects possible DLL hijacking of wdscore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wdscore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wdscore.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for webservices.dll DLL Hijacking id: 2704592b-9395-48a3-4833-5b9ff8365128 status: experimental description: Detects possible DLL hijacking of webservices.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/webservices.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\webservices.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wecapi.dll DLL Hijacking id: 3483042b-9395-48a3-4833-5b9ff8919715 status: experimental description: Detects possible DLL hijacking of wecapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wecapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wecapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wer.dll DLL Hijacking id: 6667192b-9395-48a3-4833-5b9ff8831964 status: experimental description: Detects possible DLL hijacking of wer.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wer.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wer.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wevtapi.dll DLL Hijacking id: 1325682b-9395-48a3-4833-5b9ff8877743 status: experimental description: Detects possible DLL hijacking of wevtapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wevtapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wevtapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for whhelper.dll DLL Hijacking id: 9852422b-9395-48a3-4833-5b9ff8858874 status: experimental description: Detects possible DLL hijacking of whhelper.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/whhelper.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\whhelper.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wimgapi.dll DLL Hijacking id: 1854942b-9395-48a3-4833-5b9ff8418066 status: experimental description: Detects possible DLL hijacking of wimgapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wimgapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wimgapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\program files\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\arm64\DISM\\*' - 'c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\arm64\DISM\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winbio.dll DLL Hijacking id: 1716732b-7437-48a3-2115-5b9ff8633519 status: experimental description: Detects possible DLL hijacking of winbio.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winbio.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winbio.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winbrand.dll DLL Hijacking id: 7484512b-9395-48a3-4833-5b9ff8104958 status: experimental description: Detects possible DLL hijacking of winbrand.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winbrand.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winbrand.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for windows.storage.dll DLL Hijacking id: 9111952b-2897-48a3-6541-5b9ff8134848 status: experimental description: Detects possible DLL hijacking of windows.storage.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windows.storage.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\windows.storage.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for windows.storage.search.dll DLL Hijacking id: 4803242b-2897-48a3-6541-5b9ff8200174 status: experimental description: Detects possible DLL hijacking of windows.storage.search.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windows.storage.search.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\windows.storage.search.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for windows.ui.immersive.dll DLL Hijacking id: 1638672b-2028-48a3-1241-5b9ff8322645 status: experimental description: Detects possible DLL hijacking of windows.ui.immersive.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windows.ui.immersive.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\windows.ui.immersive.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for windowscodecs.dll DLL Hijacking id: 7923332b-9395-48a3-4833-5b9ff8176806 status: experimental description: Detects possible DLL hijacking of windowscodecs.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windowscodecs.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\windowscodecs.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for windowscodecsext.dll DLL Hijacking id: 5485022b-2897-48a3-6541-5b9ff8612059 status: experimental description: Detects possible DLL hijacking of windowscodecsext.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windowscodecsext.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\windowscodecsext.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for windowsperformancerecordercontrol.dll DLL Hijacking id: 1224552b-9395-48a3-4833-5b9ff8366003 status: experimental description: Detects possible DLL hijacking of windowsperformancerecordercontrol.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windowsperformancerecordercontrol.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\windowsperformancerecordercontrol.dll' filter: TargetFileName: - 'c:\program files\windows kits\10\windows performance toolkit\\*' - 'c:\program files (x86)\windows kits\10\windows performance toolkit\\*' - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for windowsudk.shellcommon.dll DLL Hijacking id: 5019782b-2897-48a3-6541-5b9ff8831881 status: experimental description: Detects possible DLL hijacking of windowsudk.shellcommon.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windowsudk.shellcommon.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\windowsudk.shellcommon.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winhttp.dll DLL Hijacking id: 3239902b-9395-48a3-4833-5b9ff8189432 status: experimental description: Detects possible DLL hijacking of winhttp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winhttp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winhttp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wininet.dll DLL Hijacking id: 5133202b-9395-48a3-4833-5b9ff8546758 status: experimental description: Detects possible DLL hijacking of wininet.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wininet.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wininet.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winipsec.dll DLL Hijacking id: 8435322b-9395-48a3-4833-5b9ff8591945 status: experimental description: Detects possible DLL hijacking of winipsec.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winipsec.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winipsec.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winmde.dll DLL Hijacking id: 9555562b-9395-48a3-4833-5b9ff8958594 status: experimental description: Detects possible DLL hijacking of winmde.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winmde.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winmde.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winmm.dll DLL Hijacking id: 6001232b-9395-48a3-4833-5b9ff8661849 status: experimental description: Detects possible DLL hijacking of winmm.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winmm.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winmm.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winnsi.dll DLL Hijacking id: 3518232b-9395-48a3-4833-5b9ff8680757 status: experimental description: Detects possible DLL hijacking of winnsi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winnsi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winnsi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winrnr.dll DLL Hijacking id: 3147262b-2897-48a3-6541-5b9ff8162235 status: experimental description: Detects possible DLL hijacking of winrnr.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winrnr.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winrnr.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winscard.dll DLL Hijacking id: 4651822b-7437-48a3-2115-5b9ff8962377 status: experimental description: Detects possible DLL hijacking of winscard.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winscard.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winscard.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winsqlite3.dll DLL Hijacking id: 2504882b-9395-48a3-4833-5b9ff8837374 status: experimental description: Detects possible DLL hijacking of winsqlite3.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winsqlite3.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winsqlite3.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winsta.dll DLL Hijacking id: 4474352b-9395-48a3-4833-5b9ff8756495 status: experimental description: Detects possible DLL hijacking of winsta.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winsta.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winsta.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for winsync.dll DLL Hijacking id: 9097692b-7437-48a3-2115-5b9ff8759570 status: experimental description: Detects possible DLL hijacking of winsync.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winsync.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\winsync.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wkscli.dll DLL Hijacking id: 2376872b-9395-48a3-4833-5b9ff8271846 status: experimental description: Detects possible DLL hijacking of wkscli.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wkscli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wkscli.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wlanapi.dll DLL Hijacking id: 9728592b-9395-48a3-4833-5b9ff8620460 status: experimental description: Detects possible DLL hijacking of wlanapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wlanapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wlanapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wlancfg.dll DLL Hijacking id: 5680622b-9395-48a3-4833-5b9ff8948419 status: experimental description: Detects possible DLL hijacking of wlancfg.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wlancfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wlancfg.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wlbsctrl.dll DLL Hijacking id: 7274672b-4908-48a3-8140-5b9ff8212003 status: experimental description: Detects possible DLL hijacking of wlbsctrl.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wlbsctrl.html author: "Wietze Beukema" date: 2022-06-12 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wlbsctrl.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wldp.dll DLL Hijacking id: 4724502b-9395-48a3-4833-5b9ff8872681 status: experimental description: Detects possible DLL hijacking of wldp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wldp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wldp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wlidprov.dll DLL Hijacking id: 8739312b-2897-48a3-6541-5b9ff8180920 status: experimental description: Detects possible DLL hijacking of wlidprov.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wlidprov.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wlidprov.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wmiclnt.dll DLL Hijacking id: 2830982b-9395-48a3-4833-5b9ff8308665 status: experimental description: Detects possible DLL hijacking of wmiclnt.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wmiclnt.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wmiclnt.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wmidcom.dll DLL Hijacking id: 6056742b-2897-48a3-6541-5b9ff8639527 status: experimental description: Detects possible DLL hijacking of wmidcom.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wmidcom.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wmidcom.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wmiutils.dll DLL Hijacking id: 9676102b-2897-48a3-6541-5b9ff8669284 status: experimental description: Detects possible DLL hijacking of wmiutils.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wmiutils.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wmiutils.dll' filter: TargetFileName: - 'c:\windows\system32\wbem\\*' - 'c:\windows\syswow64\wbem\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wmpdui.dll DLL Hijacking id: 9754192b-9395-48a3-4833-5b9ff8371687 status: experimental description: Detects possible DLL hijacking of wmpdui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wmpdui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wmpdui.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wmsgapi.dll DLL Hijacking id: 5032212b-9395-48a3-4833-5b9ff8166548 status: experimental description: Detects possible DLL hijacking of wmsgapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wmsgapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wmsgapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wofutil.dll DLL Hijacking id: 5375032b-9395-48a3-4833-5b9ff8946295 status: experimental description: Detects possible DLL hijacking of wofutil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wofutil.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wofutil.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wow64log.dll DLL Hijacking id: 1854582b-8475-48a3-5606-5b9ff8458296 status: experimental description: Detects possible DLL hijacking of wow64log.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wow64log.html author: "ice-wzl" date: 2025-01-01 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wow64log.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wpdshext.dll DLL Hijacking id: 1033052b-2897-48a3-6541-5b9ff8574917 status: experimental description: Detects possible DLL hijacking of wpdshext.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wpdshext.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wpdshext.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wptsextensions.dll DLL Hijacking id: 5524022b-9122-48a3-7130-5b9ff8916642 status: experimental description: Detects possible DLL hijacking of wptsextensions.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wptsextensions.html author: "k4nfr3" date: 2022-08-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wptsextensions.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wscapi.dll DLL Hijacking id: 2593902b-7437-48a3-2115-5b9ff8485573 status: experimental description: Detects possible DLL hijacking of wscapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wscapi.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wscapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wsdapi.dll DLL Hijacking id: 8287072b-2811-48a3-1599-5b9ff8397965 status: experimental description: Detects possible DLL hijacking of wsdapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wsdapi.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wsdapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wshbth.dll DLL Hijacking id: 8610092b-2897-48a3-6541-5b9ff8545844 status: experimental description: Detects possible DLL hijacking of wshbth.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wshbth.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wshbth.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wshelper.dll DLL Hijacking id: 8129562b-9395-48a3-4833-5b9ff8430106 status: experimental description: Detects possible DLL hijacking of wshelper.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wshelper.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wshelper.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wsmsvc.dll DLL Hijacking id: 5007062b-7437-48a3-2115-5b9ff8554659 status: experimental description: Detects possible DLL hijacking of wsmsvc.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wsmsvc.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wsmsvc.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wtsapi32.dll DLL Hijacking id: 8940962b-9395-48a3-4833-5b9ff8441253 status: experimental description: Detects possible DLL hijacking of wtsapi32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wtsapi32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wtsapi32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wwancfg.dll DLL Hijacking id: 6747662b-9395-48a3-4833-5b9ff8833613 status: experimental description: Detects possible DLL hijacking of wwancfg.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wwancfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wwancfg.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wwapi.dll DLL Hijacking id: 2428692b-9395-48a3-4833-5b9ff8356790 status: experimental description: Detects possible DLL hijacking of wwapi.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wwapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wwapi.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for xmllite.dll DLL Hijacking id: 8669102b-9395-48a3-4833-5b9ff8628499 status: experimental description: Detects possible DLL hijacking of xmllite.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/xmllite.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\xmllite.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for xolehlp.dll DLL Hijacking id: 2478962b-9395-48a3-4833-5b9ff8785507 status: experimental description: Detects possible DLL hijacking of xolehlp.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/xolehlp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\xolehlp.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for xpsservices.dll DLL Hijacking id: 1592402b-7437-48a3-2115-5b9ff8869195 status: experimental description: Detects possible DLL hijacking of xpsservices.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/xpsservices.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\xpsservices.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for xwizards.dll DLL Hijacking id: 6794172b-2897-48a3-6541-5b9ff8973235 status: experimental description: Detects possible DLL hijacking of xwizards.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/xwizards.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\xwizards.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for xwtpw32.dll DLL Hijacking id: 6163312b-2897-48a3-6541-5b9ff8912890 status: experimental description: Detects possible DLL hijacking of xwtpw32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/xwtpw32.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\xwtpw32.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for appvisvsubsystems64.dll DLL Hijacking id: 3016172b-4079-48a3-9089-5b9ff8997109 status: experimental description: Detects possible DLL hijacking of appvisvsubsystems64.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/appvisvsubsystems64.html author: "Still Hsu" date: 2025-10-20 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\appvisvsubsystems64.dll' filter: TargetFileName: - 'c:\program files\Common Files\microsoft shared\ClickToRun\\*' - 'c:\program files (x86)\Common Files\microsoft shared\ClickToRun\\*' - 'c:\program files\Common Files\microsoft shared\ClickToRun\Updates\\*\\*' - 'c:\program files (x86)\Common Files\microsoft shared\ClickToRun\Updates\\*\\*' - 'c:\program files\Microsoft Office\root\Client\\*' - 'c:\program files (x86)\Microsoft Office\root\Client\\*' - 'c:\program files\Microsoft Office\root\Office*\\*' - 'c:\program files (x86)\Microsoft Office\root\Office*\\*' - 'c:\program files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office*\\*' - 'c:\program files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for atltracetoolui.dll DLL Hijacking id: 8132642b-4150-48a3-8413-5b9ff8149350 status: experimental description: Detects possible DLL hijacking of atltracetoolui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/atltracetoolui.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\atltracetoolui.dll' filter: TargetFileName: - 'c:\program files\Microsoft Visual Studio 11.0\Common7\Tools\\*' - 'c:\program files (x86)\Microsoft Visual Studio 11.0\Common7\Tools\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for concrt140.dll DLL Hijacking id: 8484042b-9387-48a3-7560-5b9ff8877196 status: experimental description: Detects possible DLL hijacking of concrt140.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/concrt140.html author: "Austin Worline" date: 2025-04-06 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\concrt140.dll' filter: TargetFileName: - 'c:\program files\Microsoft Visual Studio\\*\Community\Common7\IDE\VC\vcpackages\\*' - 'c:\program files (x86)\Microsoft Visual Studio\\*\Community\Common7\IDE\VC\vcpackages\\*' - 'c:\program files\Microsoft Visual Studio\\*\BuildTools\Common7\IDE\VC\vcpackages\\*' - 'c:\program files (x86)\Microsoft Visual Studio\\*\BuildTools\Common7\IDE\VC\vcpackages\\*' - 'c:\program files\Microsoft Visual Studio\\*\BuildTools\Common7\IDE\\*' - 'c:\program files (x86)\Microsoft Visual Studio\\*\BuildTools\Common7\IDE\\*' - 'c:\program files\Microsoft Intune Management Extension\\*' - 'c:\program files (x86)\Microsoft Intune Management Extension\\*' - 'c:\program files\Microsoft\Edge\Application\\*\\*' - 'c:\program files (x86)\Microsoft\Edge\Application\\*\\*' - 'c:\program files\Microsoft\EdgeWebView\Application\\*\\*' - 'c:\program files (x86)\Microsoft\EdgeWebView\Application\\*\\*' - 'c:\program files\microsoft\edgewebview\application\\*\\*' - 'c:\program files (x86)\microsoft\edgewebview\application\\*\\*' - 'c:\program files\Microsoft RDInfra\RDMonitoringAgent_*\Agent\\*' - 'c:\program files (x86)\Microsoft RDInfra\RDMonitoringAgent_*\Agent\\*' - 'c:\program files\WindowsApps\Microsoft.VCLibs.*\\*' - 'c:\program files (x86)\WindowsApps\Microsoft.VCLibs.*\\*' - 'c:\program files\WindowsApps\Microsoft.OutlookForWindows_*\\*' - 'c:\program files (x86)\WindowsApps\Microsoft.OutlookForWindows_*\\*' - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for dbgeng.dll DLL Hijacking id: 9774422b-9223-48a3-6181-5b9ff8657582 status: experimental description: Detects possible DLL hijacking of dbgeng.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/dbgeng.html author: "Wietze Beukema" date: 2023-03-01 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\dbgeng.dll' filter: TargetFileName: - 'c:\program files\Windows Kits\\*\Debuggers\x86\\*' - 'c:\program files (x86)\Windows Kits\\*\Debuggers\x86\\*' - 'c:\program files\Windows Kits\\*\Debuggers\x64\\*' - 'c:\program files (x86)\Windows Kits\\*\Debuggers\x64\\*' - 'c:\program files\Windows Kits\\*\Debuggers\arm\\*' - 'c:\program files (x86)\Windows Kits\\*\Debuggers\arm\\*' - 'c:\program files\Windows Kits\\*\Debuggers\arm64\\*' - 'c:\program files (x86)\Windows Kits\\*\Debuggers\arm64\\*' - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for formdll.dll DLL Hijacking id: 2943742b-3819-48a3-7381-5b9ff8215555 status: experimental description: Detects possible DLL hijacking of formdll.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/formdll.html author: "Wietze Beukema" date: 2023-09-04 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\formdll.dll' filter: TargetFileName: - 'c:\program files\Common Files\Microsoft Shared\NoteSync Forms\\*' - 'c:\program files (x86)\Common Files\Microsoft Shared\NoteSync Forms\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for gflagsui.dll DLL Hijacking id: 1356932b-2811-48a3-1599-5b9ff8833446 status: experimental description: Detects possible DLL hijacking of gflagsui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/gflagsui.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\gflagsui.dll' filter: TargetFileName: - 'c:\program files\Windows Kits\10\Debuggers\\*\\*' - 'c:\program files (x86)\Windows Kits\10\Debuggers\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for hha.dll DLL Hijacking id: 6370912b-6722-48a3-2305-5b9ff8430460 status: experimental description: Detects possible DLL hijacking of hha.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/hha.html author: "Wietze Beukema" date: 2021-12-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\hha.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\program files\HTML Help Workshop\\*' - 'c:\program files (x86)\HTML Help Workshop\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for imjp14k.dll DLL Hijacking id: 1912702b-7371-48a3-5678-5b9ff8552736 status: experimental description: Detects possible DLL hijacking of imjp14k.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/imjp14k.html author: "Wietze Beukema" date: 2024-09-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\imjp14k.dll' filter: TargetFileName: - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\program files\Common Files\Microsoft Shared\IME14\SHARED\\*' - 'c:\program files (x86)\Common Files\Microsoft Shared\IME14\SHARED\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for iviewers.dll DLL Hijacking id: 1295572b-6727-48a3-6557-5b9ff8430907 status: experimental description: Detects possible DLL hijacking of iviewers.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/iviewers.html author: "Wietze Beukema" date: 2022-06-14 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\iviewers.dll' filter: TargetFileName: - 'c:\program files\Windows Kits\10\bin\\*\x86\\*' - 'c:\program files (x86)\Windows Kits\10\bin\\*\x86\\*' - 'c:\program files\Windows Kits\10\bin\\*\x64\\*' - 'c:\program files (x86)\Windows Kits\10\bin\\*\x64\\*' - 'c:\program files\Windows Kits\10\bin\\*\arm\\*' - 'c:\program files (x86)\Windows Kits\10\bin\\*\arm\\*' - 'c:\program files\Windows Kits\10\bin\\*\arm64\\*' - 'c:\program files (x86)\Windows Kits\10\bin\\*\arm64\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for midlrtmd.dll DLL Hijacking id: 4697262b-1497-48a3-1258-5b9ff8380603 status: experimental description: Detects possible DLL hijacking of midlrtmd.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/midlrtmd.html author: "Rick Gatenby" date: 2026-02-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\midlrtmd.dll' filter: TargetFileName: - 'c:\program files\Windows Kits\\*\bin\\*\x64\mdmerge.exe\\*' - 'c:\program files (x86)\Windows Kits\\*\bin\\*\x64\mdmerge.exe\\*' - 'c:\program files\Windows Kits\\*\bin\\*\x86\mdmerge.exe\\*' - 'c:\program files (x86)\Windows Kits\\*\bin\\*\x86\mdmerge.exe\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mpgear.dll DLL Hijacking id: 1970122b-9569-48a3-1936-5b9ff8709922 status: experimental description: Detects possible DLL hijacking of mpgear.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/mpgear.html author: "Jai Minton - HuntressLabs" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mpgear.dll' filter: TargetFileName: - 'c:\program files\Windows Defender Advanced Threat Protection\Classification\\*' - 'c:\program files (x86)\Windows Defender Advanced Threat Protection\Classification\\*' - 'c:\windows\system32\MRT\\*\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msidcrl40.dll DLL Hijacking id: 2253402b-4592-48a3-2807-5b9ff8762429 status: experimental description: Detects possible DLL hijacking of msidcrl40.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/msidcrl40.html author: "Jai Minton - HuntressLabs" date: 2024-05-29 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msidcrl40.dll' filter: TargetFileName: - 'c:\program files\msn messenger\\*' - 'c:\program files (x86)\msn messenger\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for msimg32.dll DLL Hijacking id: 7330222b-4026-48a3-2477-5b9ff8149851 status: experimental description: Detects possible DLL hijacking of msimg32.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/msimg32.html author: "Jai Minton - HuntressLabs" date: 2025-04-10 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\msimg32.dll' filter: TargetFileName: - 'c:\program files\Haihaisoft PDF Reader\\*' - 'c:\program files (x86)\Haihaisoft PDF Reader\\*' - 'c:\windows\system32\\*' - 'c:\windows\syswow64\\*' - 'c:\windows\winsxs\*' - 'c:\$windows.~bt\*' - 'c:\windows\softwaredistribution\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for mspgimme.dll DLL Hijacking id: 4129982b-9291-48a3-5273-5b9ff8568681 status: experimental description: Detects possible DLL hijacking of mspgimme.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/mspgimme.html author: "Josh Allman" date: 2025-03-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\mspgimme.dll' filter: TargetFileName: - 'c:\program files\Common Files\Microsoft Shared\MODI\11.0\\*' - 'c:\program files (x86)\Common Files\Microsoft Shared\MODI\11.0\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for outllib.dll DLL Hijacking id: 3802402b-1318-48a3-1317-5b9ff8856876 status: experimental description: Detects possible DLL hijacking of outllib.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/outllib.html author: "Wietze Beukema" date: 2022-06-13 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\outllib.dll' filter: TargetFileName: - 'c:\program files\Microsoft Office\OFFICE*\\*' - 'c:\program files (x86)\Microsoft Office\OFFICE*\\*' - 'c:\program files\Microsoft Office\Root\OFFICE*\\*' - 'c:\program files (x86)\Microsoft Office\Root\OFFICE*\\*' - 'c:\program files\Microsoft Office *\ClientX86\Root\Office*\\*' - 'c:\program files (x86)\Microsoft Office *\ClientX86\Root\Office*\\*' - 'c:\program files\Microsoft Office *\ClientX64\Root\Office*\\*' - 'c:\program files (x86)\Microsoft Office *\ClientX64\Root\Office*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for ppcore.dll DLL Hijacking id: 5961132b-2351-48a3-2815-5b9ff8263220 status: experimental description: Detects possible DLL hijacking of ppcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/ppcore.html author: "Swachchhanda Shrawan Poudel" date: 2025-04-23 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\ppcore.dll' filter: TargetFileName: - 'c:\program files\Microsoft Office\OFFICE*\\*' - 'c:\program files (x86)\Microsoft Office\OFFICE*\\*' - 'c:\program files\Microsoft Office\Root\OFFICE*\\*' - 'c:\program files (x86)\Microsoft Office\Root\OFFICE*\\*' - 'c:\program files\Microsoft Office *\ClientX86\Root\Office*\\*' - 'c:\program files (x86)\Microsoft Office *\ClientX86\Root\Office*\\*' - 'c:\program files\Microsoft Office *\ClientX64\Root\Office*\\*' - 'c:\program files (x86)\Microsoft Office *\ClientX64\Root\Office*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for rcdll.dll DLL Hijacking id: 1324852b-2811-48a3-1599-5b9ff8815748 status: experimental description: Detects possible DLL hijacking of rcdll.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/rcdll.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\rcdll.dll' filter: TargetFileName: - 'c:\program files\Windows Kits\10\bin\\*\\*\\*' - 'c:\program files (x86)\Windows Kits\10\bin\\*\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for symsrv.dll DLL Hijacking id: 9816232b-2811-48a3-1599-5b9ff8945318 status: experimental description: Detects possible DLL hijacking of symsrv.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/symsrv.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\symsrv.dll' filter: TargetFileName: - 'c:\program files\Windows Kits\10\Debuggers\\*\\*' - 'c:\program files (x86)\Windows Kits\10\Debuggers\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for tedutil.dll DLL Hijacking id: 1524822b-9569-48a3-1936-5b9ff8301879 status: experimental description: Detects possible DLL hijacking of tedutil.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/tedutil.html author: "Jai Minton - HuntressLabs" date: 2024-04-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\tedutil.dll' filter: TargetFileName: - 'c:\program files\Microsoft SDKs\Windows\\*\Bin\\*' - 'c:\program files (x86)\Microsoft SDKs\Windows\\*\Bin\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for uxcore.dll DLL Hijacking id: 1416642b-5077-48a3-3793-5b9ff8228927 status: experimental description: Detects possible DLL hijacking of uxcore.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/uxcore.html author: "Jai Minton - HuntressLabs" date: 2025-01-22 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\uxcore.dll' filter: TargetFileName: - 'c:\program files\windows live\installer\\*' - 'c:\program files (x86)\windows live\installer\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for windowsperformancerecorderui.dll DLL Hijacking id: 1067752b-2811-48a3-1599-5b9ff8544858 status: experimental description: Detects possible DLL hijacking of windowsperformancerecorderui.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/windowsperformancerecorderui.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\windowsperformancerecorderui.dll' filter: TargetFileName: - 'c:\program files\Windows Kits\10\Windows Performance Toolkit\\*' - 'c:\program files (x86)\Windows Kits\10\Windows Performance Toolkit\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- | replace: "\*","\\\\*"title: Possible preparation for wmicodegen.dll DLL Hijacking id: 2340122b-6939-48a3-6071-5b9ff8311072 status: experimental description: Detects possible DLL hijacking of wmicodegen.dll by looking for suspicious file writes of this DLL, to unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/wmicodegen.html author: "Swachchhanda Shrawan Poudel" date: 2024-07-25 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: file_event detection: selection: TargetFileName: '*\wmicodegen.dll' filter: TargetFileName: - 'c:\program files\windows kits\\*\bin\\*\\*' - 'c:\program files (x86)\windows kits\\*\bin\\*\\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections.