--- title: Possible DLL Hijacking of acrodistdll.dll id: 8335211b-4774-48a3-6608-5b9ff8433675 status: experimental description: Detects possible DLL hijacking of acrodistdll.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/adobe/acrodistdll.html author: "Pokhlebin Maxim" date: 2023-06-08 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\acrodistdll.dll' filter: ImageLoaded: - 'c:\program files\Adobe\Acrobat *\Acrobat\*' - 'c:\program files (x86)\Adobe\Acrobat *\Acrobat\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of vender.dll id: 9481841b-4150-48a3-8413-5b9ff8267972 status: experimental description: Detects possible DLL hijacking of vender.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/asus/vender.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\vender.dll' filter: ImageLoaded: - 'c:\program files\ASUS\GPU TweakII\*' - 'c:\program files (x86)\ASUS\GPU TweakII\*' - 'c:\program files\ASUS\VGA COM\*\*' - 'c:\program files (x86)\ASUS\VGA COM\*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wsc.dll id: 2764371b-9122-48a3-7130-5b9ff8861115 status: experimental description: Detects possible DLL hijacking of wsc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/avast/wsc.html author: "Matt Green" date: 2022-08-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wsc.dll' filter: ImageLoaded: - 'c:\program files\AVAST Software\Avast\*' - 'c:\program files (x86)\AVAST Software\Avast\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of basicnetutils.dll id: 8230311b-8028-48a3-7945-5b9ff8500209 status: experimental description: Detects possible DLL hijacking of basicnetutils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/baidu/basicnetutils.html author: "Wietze Beukema" date: 2023-05-03 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\basicnetutils.dll' filter: ImageLoaded: - 'c:\users\*\appdata\local\Temp\*\Application2\*' - 'c:\program files\BAIDU\BAIDUPINYIN\*\*' - 'c:\program files (x86)\BAIDU\BAIDUPINYIN\*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of log.dll id: 9451181b-1318-48a3-1317-5b9ff8166908 status: experimental description: Detects possible DLL hijacking of log.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/bitdefender/log.html author: "Wietze Beukema" date: 2022-06-13 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\log.dll' filter: ImageLoaded: - 'c:\program files\Bitdefender Antivirus Free\*' - 'c:\program files (x86)\Bitdefender Antivirus Free\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ciscosparklauncher.dll id: 1830021b-6060-48a3-8680-5b9ff8293352 status: experimental description: Detects possible DLL hijacking of ciscosparklauncher.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/cisco/ciscosparklauncher.html author: "Sorina Ionescu" date: 2022-10-10 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ciscosparklauncher.dll' filter: ImageLoaded: - 'c:\users\*\appdata\local\CiscoSparkLauncher\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of classicexplorer32.dll id: 1270151b-4774-48a3-6608-5b9ff8770283 status: experimental description: Detects possible DLL hijacking of classicexplorer32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/classicshell/classicexplorer32.html author: "Pokhlebin Maxim" date: 2023-06-08 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\classicexplorer32.dll' filter: ImageLoaded: - 'c:\program files\Classic Shell\*' - 'c:\program files (x86)\Classic Shell\*' - 'c:\program files\Open-Shell\*' - 'c:\program files (x86)\Open-Shell\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of vftrace.dll id: 1895971b-7927-48a3-7311-5b9ff8937088 status: experimental description: Detects possible DLL hijacking of vftrace.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/cyberark/vftrace.html author: "Sorina Ionescu" date: 2022-10-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\vftrace.dll' filter: ImageLoaded: - 'c:\program files\CyberArk\Endpoint Privilege Manager\Agent\x32\*' - 'c:\program files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\*' - 'c:\program files\CyberArk\Endpoint Privilege Manager\Agent\x64\*' - 'c:\program files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x64\*' - 'c:\program files\CyberArk\Endpoint Privilege Manager\Agent\*' - 'c:\program files (x86)\CyberArk\Endpoint Privilege Manager\Agent\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of qrt.dll id: 9810161b-1318-48a3-1317-5b9ff8680524 status: experimental description: Detects possible DLL hijacking of qrt.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/f-secure/qrt.html author: "Wietze Beukema" date: 2022-06-13 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\qrt.dll' filter: ImageLoaded: - 'c:\program files\F-Secure\Anti-Virus\*' - 'c:\program files (x86)\F-Secure\Anti-Virus\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of chrome_frame_helper.dll id: 9361151b-6722-48a3-2305-5b9ff8772021 status: experimental description: Detects possible DLL hijacking of chrome_frame_helper.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html author: "Wietze Beukema" date: 2021-12-08 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\chrome_frame_helper.dll' filter: ImageLoaded: - 'c:\users\*\appdata\local\Google\Chrome\Application\*' - 'c:\program files\Google\Chrome\Application\*' - 'c:\program files (x86)\Google\Chrome\Application\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of hpcustpartui.dll id: 3589891b-8743-48a3-3543-5b9ff8444314 status: experimental description: Detects possible DLL hijacking of hpcustpartui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/hp/hpcustpartui.html author: "Christiaan Beek" date: 2023-01-10 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\hpcustpartui.dll' filter: ImageLoaded: - 'c:\program files\HP\*' - 'c:\program files (x86)\HP\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of hpqhvsei.dll id: 9170171b-1995-48a3-3467-5b9ff8750947 status: experimental description: Detects possible DLL hijacking of hpqhvsei.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/hp/hpqhvsei.html author: "Wietze Beukema" date: 2023-02-26 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\hpqhvsei.dll' filter: ImageLoaded: - 'c:\program files\HP\*' - 'c:\program files (x86)\HP\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of commfunc.dll id: 9530031b-6722-48a3-2305-5b9ff8893283 status: experimental description: Detects possible DLL hijacking of commfunc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/lenovo/commfunc.html author: "Wietze Beukema" date: 2021-12-08 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\commfunc.dll' filter: ImageLoaded: - 'c:\program files\Lenovo\Communications Utility\*' - 'c:\program files (x86)\Lenovo\Communications Utility\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of lmiguardiandll.dll id: 8056821b-5153-48a3-7359-5b9ff8983958 status: experimental description: Detects possible DLL hijacking of lmiguardiandll.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/logmein/lmiguardiandll.html author: "Christiaan Beek" date: 2023-01-11 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\lmiguardiandll.dll' filter: ImageLoaded: - 'c:\program files\LogMeIn\*' - 'c:\program files (x86)\LogMeIn\*' - 'c:\program files\LogMeIn\x86\*' - 'c:\program files (x86)\LogMeIn\x86\*' - 'c:\program files\LogMeIn\x64\*' - 'c:\program files (x86)\LogMeIn\x64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of facesdk.dll id: 4818681b-4150-48a3-8413-5b9ff8954421 status: experimental description: Detects possible DLL hijacking of facesdk.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/luxand/facesdk.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\facesdk.dll' filter: ImageLoaded: - 'c:\program files\luxand\facesdk\bin\win64\*' - 'c:\program files (x86)\luxand\facesdk\bin\win64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ashldres.dll id: 2697231b-6722-48a3-2305-5b9ff8580020 status: experimental description: Detects possible DLL hijacking of ashldres.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mcafee/ashldres.html author: "Wietze Beukema" date: 2021-12-08 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ashldres.dll' filter: ImageLoaded: - 'c:\program files\McAfee.com\VSO\*' - 'c:\program files (x86)\McAfee.com\VSO\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of lockdown.dll id: 2232211b-1318-48a3-1317-5b9ff8905604 status: experimental description: Detects possible DLL hijacking of lockdown.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mcafee/lockdown.html author: "Wietze Beukema" date: 2022-06-13 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\lockdown.dll' filter: ImageLoaded: - 'c:\program files\McAfee\VirusScan Enterprise\*' - 'c:\program files (x86)\McAfee\VirusScan Enterprise\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of siteadv.dll id: 1129001b-5201-48a3-9406-5b9ff8493552 status: experimental description: Detects possible DLL hijacking of siteadv.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mcafee/siteadv.html author: "Christiaan Beek" date: 2023-01-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\siteadv.dll' filter: ImageLoaded: - 'c:\program files\SiteAdvisor\*\*' - 'c:\program files (x86)\SiteAdvisor\*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of vsodscpl.dll id: 8664221b-1318-48a3-1317-5b9ff8845464 status: experimental description: Detects possible DLL hijacking of vsodscpl.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mcafee/vsodscpl.html author: "Wietze Beukema" date: 2022-06-13 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\vsodscpl.dll' filter: ImageLoaded: - 'c:\program files\McAfee\VirusScan Enterprise\*' - 'c:\program files (x86)\McAfee\VirusScan Enterprise\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mozglue.dll id: 6154931b-2326-48a3-2877-5b9ff8738308 status: experimental description: Detects possible DLL hijacking of mozglue.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/mozilla/mozglue.html author: "Wietze Beukema" date: 2022-09-26 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mozglue.dll' filter: ImageLoaded: - 'c:\program files\SeaMonkey\*' - 'c:\program files (x86)\SeaMonkey\*' - 'c:\program files\Mozilla Firefox\*' - 'c:\program files (x86)\Mozilla Firefox\*' - 'c:\program files\Mozilla Thunderbird\*' - 'c:\program files (x86)\Mozilla Thunderbird\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of providers.dll id: 4710111b-5388-48a3-9769-5b9ff8810087 status: experimental description: Detects possible DLL hijacking of providers.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/npm/providers.html author: "Wietze Beukema" date: 2022-08-01 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\providers.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of nvsmartmax.dll id: 6820621b-3819-48a3-7381-5b9ff8297672 status: experimental description: Detects possible DLL hijacking of nvsmartmax.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/nvidia/nvsmartmax.html author: "Wietze Beukema" date: 2023-09-04 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\nvsmartmax.dll' filter: ImageLoaded: - 'c:\program files\NVIDIA Corporation\Display\*' - 'c:\program files (x86)\NVIDIA Corporation\Display\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of opera_elf.dll id: 3451111b-5254-48a3-5583-5b9ff8715208 status: experimental description: Detects possible DLL hijacking of opera_elf.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/opera/opera_elf.html author: "Wietze Beukema" date: 2023-07-28 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\opera_elf.dll' filter: ImageLoaded: - 'c:\users\*\appdata\local\programs\opera\*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winutils.dll id: 8665401b-4150-48a3-8413-5b9ff8744995 status: experimental description: Detects possible DLL hijacking of winutils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/paloalto/winutils.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winutils.dll' filter: ImageLoaded: - 'c:\program files\Palo Alto Networks\Traps\*' - 'c:\program files (x86)\Palo Alto Networks\Traps\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of python39.dll id: 7556041b-2326-48a3-2877-5b9ff8836856 status: experimental description: Detects possible DLL hijacking of python39.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/python/python39.html author: "Wietze Beukema" date: 2022-09-26 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\python39.dll' filter: ImageLoaded: - 'c:\program files\Python39\*' - 'c:\program files (x86)\Python39\*' - 'c:\users\*\appdata\local\Temp\*\*' - 'c:\program files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\*' - 'c:\program files (x86)\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python\*' - '%USERPROFILE%\anaconda3\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rzlog4cpp_logger.dll id: 3158221b-7740-48a3-2257-5b9ff8164996 status: experimental description: Detects possible DLL hijacking of rzlog4cpp_logger.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/razer/rzlog4cpp_logger.html author: "Wietze Beukema" date: 2023-04-03 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rzlog4cpp_logger.dll' filter: ImageLoaded: - 'c:\users\*\appdata\local\razer\InGameEngine\cache\RzFpsApplet\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of smadhook32c.dll id: 3416181b-4150-48a3-8413-5b9ff8316275 status: experimental description: Detects possible DLL hijacking of smadhook32c.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/smadav/smadhook32c.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\smadhook32c.dll' filter: ImageLoaded: - 'c:\program files\Smadav\*' - 'c:\program files (x86)\Smadav\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of safestore32.dll id: 9492101b-3819-48a3-7381-5b9ff8837017 status: experimental description: Detects possible DLL hijacking of safestore32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/sophos/safestore32.html author: "Wietze Beukema" date: 2023-09-04 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\safestore32.dll' filter: ImageLoaded: - 'c:\program files\Sophos\Sophos Anti-Virus\*' - 'c:\program files (x86)\Sophos\Sophos Anti-Virus\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ldvpocx.ocx id: 2888911b-2523-48a3-4236-5b9ff8872802 status: experimental description: Detects possible DLL hijacking of ldvpocx.ocx by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/symantec/ldvpocx.html author: "Wietze Beukema" date: 2023-04-22 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ldvpocx.ocx' filter: ImageLoaded: - 'c:\program files\Symantec_Client_Security\Symantec AntiVirus\*' - 'c:\program files (x86)\Symantec_Client_Security\Symantec AntiVirus\*' - 'c:\program files\Symantec AntiVirus\*' - 'c:\program files (x86)\Symantec AntiVirus\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rastls.dll id: 2346691b-1995-48a3-3467-5b9ff8265175 status: experimental description: Detects possible DLL hijacking of rastls.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/symantec/rastls.html author: "Wietze Beukema" date: 2023-02-26 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rastls.dll' filter: ImageLoaded: - 'c:\program files\Symantec\Network Connected Devices Auto Setup\*' - 'c:\program files (x86)\Symantec\Network Connected Devices Auto Setup\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of shellsel.ocx id: 2664661b-4150-48a3-8413-5b9ff8735128 status: experimental description: Detects possible DLL hijacking of shellsel.ocx by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/symantec/shellsel.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\shellsel.ocx' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of tosbtkbd.dll id: 9671701b-6727-48a3-6557-5b9ff8159819 status: experimental description: Detects possible DLL hijacking of tosbtkbd.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/toshiba/tosbtkbd.html author: "Wietze Beukema" date: 2022-06-14 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\tosbtkbd.dll' filter: ImageLoaded: - 'c:\program files\Toshiba\Bluetooth Toshiba Stack\*' - 'c:\program files (x86)\Toshiba\Bluetooth Toshiba Stack\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of tmdbglog.dll id: 1956941b-5201-48a3-9406-5b9ff8905624 status: experimental description: Detects possible DLL hijacking of tmdbglog.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/trendmicro/tmdbglog.html author: "Christiaan Beek" date: 2023-01-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\tmdbglog.dll' filter: ImageLoaded: - 'c:\program files\Trend Micro\Titanium\*' - 'c:\program files (x86)\Trend Micro\Titanium\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of tmtap.dll id: 8739701b-2945-48a3-7988-5b9ff8844509 status: experimental description: Detects possible DLL hijacking of tmtap.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/trendmicro/tmtap.html author: "Wietze Beukema" date: 2022-05-26 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\tmtap.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of utiluniclient.dll id: 8929171b-5805-48a3-6769-5b9ff8388944 status: experimental description: Detects possible DLL hijacking of utiluniclient.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/trendmicro/utiluniclient.html author: "Wietze Beukema" date: 2021-02-28 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\utiluniclient.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of unityplayer.dll id: 8888881b-8028-48a3-7945-5b9ff8900792 status: experimental description: Detects possible DLL hijacking of unityplayer.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/unity/unityplayer.html author: "Wietze Beukema" date: 2023-05-03 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\unityplayer.dll' filter: ImageLoaded: - 'c:\users\*\appdata\local\Temp\*\Windows\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of vntfxf32.dll id: 5845121b-4150-48a3-8413-5b9ff8327495 status: experimental description: Detects possible DLL hijacking of vntfxf32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/ventafax/vntfxf32.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\vntfxf32.dll' filter: ImageLoaded: - 'c:\program files\Venta\VentaFax & Voice\*' - 'c:\program files (x86)\Venta\VentaFax & Voice\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of vivaldi_elf.dll id: 5086081b-2523-48a3-4236-5b9ff8819409 status: experimental description: Detects possible DLL hijacking of vivaldi_elf.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/vivaldi/vivaldi_elf.html author: "Wietze Beukema" date: 2023-04-22 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\vivaldi_elf.dll' filter: ImageLoaded: - 'c:\users\*\appdata\local\Vivaldi\Application\*' - 'c:\users\*\appdata\local\Vivaldi\Application\*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of libvlc.dll id: 1010921b-1035-48a3-1344-5b9ff8330336 status: experimental description: Detects possible DLL hijacking of libvlc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html author: "Wietze Beukema" date: 2022-11-18 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\libvlc.dll' filter: ImageLoaded: - 'c:\program files\VideoLAN\VLC\*' - 'c:\program files (x86)\VideoLAN\VLC\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of glib-2.0.dll id: 7524131b-7740-48a3-2257-5b9ff8783090 status: experimental description: Detects possible DLL hijacking of glib-2.0.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/vmware/glib-2.0.html author: "Wietze Beukema" date: 2023-04-03 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\glib-2.0.dll' filter: ImageLoaded: - 'c:\program files\VMware\VMware Tools\*' - 'c:\program files (x86)\VMware\VMware Tools\*' - 'c:\program files\VMware\VMware Workstation\*' - 'c:\program files (x86)\VMware\VMware Workstation\*' - 'c:\program files\VMware\VMware Player\*' - 'c:\program files (x86)\VMware\VMware Player\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of shfolder.dll id: 8124061b-4759-48a3-7597-5b9ff8844449 status: experimental description: Detects possible DLL hijacking of shfolder.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/vmware/shfolder.html author: "Wietze Beukema" date: 2021-11-21 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\shfolder.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of x32bridge.dll id: 1216791b-9223-48a3-6181-5b9ff8946663 status: experimental description: Detects possible DLL hijacking of x32bridge.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/3rd_party/x64dbg/x32bridge.html author: "Wietze Beukema" date: 2023-03-01 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\x32bridge.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of aclui.dll id: 6961131b-1313-48a3-6160-5b9ff8597384 status: experimental description: Detects possible DLL hijacking of aclui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/aclui.html author: "Wietze Beukema" date: 2021-12-07 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\aclui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of activeds.dll id: 1561771b-9395-48a3-4833-5b9ff8384545 status: experimental description: Detects possible DLL hijacking of activeds.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/activeds.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\activeds.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of adsldpc.dll id: 2821251b-9395-48a3-4833-5b9ff8167320 status: experimental description: Detects possible DLL hijacking of adsldpc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/adsldpc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\adsldpc.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of aepic.dll id: 7114001b-9395-48a3-4833-5b9ff8310426 status: experimental description: Detects possible DLL hijacking of aepic.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/aepic.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\aepic.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of apphelp.dll id: 1083241b-9395-48a3-4833-5b9ff8805110 status: experimental description: Detects possible DLL hijacking of apphelp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/apphelp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\apphelp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of applicationframe.dll id: 7730761b-2897-48a3-6541-5b9ff8503660 status: experimental description: Detects possible DLL hijacking of applicationframe.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/applicationframe.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\applicationframe.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of appvpolicy.dll id: 5334351b-2028-48a3-1241-5b9ff8107382 status: experimental description: Detects possible DLL hijacking of appvpolicy.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/appvpolicy.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\appvpolicy.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of appwiz.cpl id: 9483911b-8657-48a3-9976-5b9ff8530009 status: experimental description: Detects possible DLL hijacking of appwiz.cpl by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/appwiz.html author: "Wietze Beukema" date: 2024-01-11 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\appwiz.cpl' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of appxalluserstore.dll id: 7919611b-9395-48a3-4833-5b9ff8281862 status: experimental description: Detects possible DLL hijacking of appxalluserstore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/appxalluserstore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\appxalluserstore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of appxdeploymentclient.dll id: 7568421b-9395-48a3-4833-5b9ff8638490 status: experimental description: Detects possible DLL hijacking of appxdeploymentclient.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/appxdeploymentclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\appxdeploymentclient.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of archiveint.dll id: 1146711b-9395-48a3-4833-5b9ff8135242 status: experimental description: Detects possible DLL hijacking of archiveint.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/archiveint.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\archiveint.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of atl.dll id: 6673331b-9395-48a3-4833-5b9ff8300501 status: experimental description: Detects possible DLL hijacking of atl.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/atl.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\atl.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of audioses.dll id: 8022591b-9395-48a3-4833-5b9ff8731679 status: experimental description: Detects possible DLL hijacking of audioses.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/audioses.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\audioses.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of auditpolcore.dll id: 4819821b-9395-48a3-4833-5b9ff8425921 status: experimental description: Detects possible DLL hijacking of auditpolcore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/auditpolcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\auditpolcore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of authfwcfg.dll id: 1368621b-9395-48a3-4833-5b9ff8719918 status: experimental description: Detects possible DLL hijacking of authfwcfg.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/authfwcfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\authfwcfg.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of authz.dll id: 9309811b-9395-48a3-4833-5b9ff8476213 status: experimental description: Detects possible DLL hijacking of authz.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/authz.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\authz.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of avrt.dll id: 3280761b-9395-48a3-4833-5b9ff8777444 status: experimental description: Detects possible DLL hijacking of avrt.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/avrt.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\avrt.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of batmeter.dll id: 9973811b-7437-48a3-2115-5b9ff8730738 status: experimental description: Detects possible DLL hijacking of batmeter.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/batmeter.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\batmeter.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of bcd.dll id: 8147011b-9395-48a3-4833-5b9ff8624399 status: experimental description: Detects possible DLL hijacking of bcd.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bcd.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\bcd.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of bcp47langs.dll id: 6006201b-9395-48a3-4833-5b9ff8831169 status: experimental description: Detects possible DLL hijacking of bcp47langs.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bcp47langs.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\bcp47langs.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of bcp47mrm.dll id: 5611531b-9395-48a3-4833-5b9ff8838292 status: experimental description: Detects possible DLL hijacking of bcp47mrm.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bcp47mrm.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\bcp47mrm.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of bcrypt.dll id: 1391451b-2897-48a3-6541-5b9ff8903512 status: experimental description: Detects possible DLL hijacking of bcrypt.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bcrypt.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\bcrypt.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of bderepair.dll id: 8510401b-9395-48a3-4833-5b9ff8929683 status: experimental description: Detects possible DLL hijacking of bderepair.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bderepair.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\bderepair.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of bootmenuux.dll id: 6290591b-9395-48a3-4833-5b9ff8715871 status: experimental description: Detects possible DLL hijacking of bootmenuux.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bootmenuux.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\bootmenuux.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of bootux.dll id: 3253141b-2028-48a3-1241-5b9ff8137525 status: experimental description: Detects possible DLL hijacking of bootux.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/bootux.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\bootux.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cabinet.dll id: 1147391b-9395-48a3-4833-5b9ff8774102 status: experimental description: Detects possible DLL hijacking of cabinet.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cabinet.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cabinet.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cabview.dll id: 4608831b-2897-48a3-6541-5b9ff8579534 status: experimental description: Detects possible DLL hijacking of cabview.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cabview.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cabview.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cdpsgshims.dll id: 4611701b-9122-48a3-7130-5b9ff8297414 status: experimental description: Detects possible DLL hijacking of cdpsgshims.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cdpsgshims.html author: "k4nfr3" date: 2022-08-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cdpsgshims.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of certcli.dll id: 9039271b-2028-48a3-1241-5b9ff8865992 status: experimental description: Detects possible DLL hijacking of certcli.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/certcli.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\certcli.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of certenroll.dll id: 2262221b-9395-48a3-4833-5b9ff8558051 status: experimental description: Detects possible DLL hijacking of certenroll.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/certenroll.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\certenroll.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cfgmgr32.dll id: 8798341b-4582-48a3-1057-5b9ff8403867 status: experimental description: Detects possible DLL hijacking of cfgmgr32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cfgmgr32.html author: "Wietze Beukema" date: 2023-05-19 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cfgmgr32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cldapi.dll id: 2513711b-9395-48a3-4833-5b9ff8133169 status: experimental description: Detects possible DLL hijacking of cldapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cldapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cldapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of clipc.dll id: 4992581b-9395-48a3-4833-5b9ff8734121 status: experimental description: Detects possible DLL hijacking of clipc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/clipc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\clipc.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of clusapi.dll id: 9283911b-9395-48a3-4833-5b9ff8443136 status: experimental description: Detects possible DLL hijacking of clusapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/clusapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\clusapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cmpbk32.dll id: 6999161b-9395-48a3-4833-5b9ff8418126 status: experimental description: Detects possible DLL hijacking of cmpbk32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cmpbk32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cmpbk32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cmutil.dll id: 6540491b-2028-48a3-1241-5b9ff8812845 status: experimental description: Detects possible DLL hijacking of cmutil.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cmutil.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cmutil.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of coloradapterclient.dll id: 2341451b-9395-48a3-4833-5b9ff8294719 status: experimental description: Detects possible DLL hijacking of coloradapterclient.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/coloradapterclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\coloradapterclient.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of colorui.dll id: 3050931b-9395-48a3-4833-5b9ff8851919 status: experimental description: Detects possible DLL hijacking of colorui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/colorui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\colorui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of comdlg32.dll id: 3569471b-2897-48a3-6541-5b9ff8976607 status: experimental description: Detects possible DLL hijacking of comdlg32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/comdlg32.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\comdlg32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of configmanager2.dll id: 8097611b-2028-48a3-1241-5b9ff8697132 status: experimental description: Detects possible DLL hijacking of configmanager2.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/configmanager2.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\configmanager2.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of connect.dll id: 6694051b-2897-48a3-6541-5b9ff8768439 status: experimental description: Detects possible DLL hijacking of connect.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/connect.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\connect.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of coredplus.dll id: 5265761b-7437-48a3-2115-5b9ff8350063 status: experimental description: Detects possible DLL hijacking of coredplus.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/coredplus.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\coredplus.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of coremessaging.dll id: 8595491b-9395-48a3-4833-5b9ff8771827 status: experimental description: Detects possible DLL hijacking of coremessaging.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/coremessaging.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\coremessaging.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of coreuicomponents.dll id: 3082241b-2028-48a3-1241-5b9ff8578966 status: experimental description: Detects possible DLL hijacking of coreuicomponents.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/coreuicomponents.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\coreuicomponents.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of credui.dll id: 8542451b-9395-48a3-4833-5b9ff8440692 status: experimental description: Detects possible DLL hijacking of credui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/credui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\credui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cryptbase.dll id: 4433671b-9395-48a3-4833-5b9ff8337593 status: experimental description: Detects possible DLL hijacking of cryptbase.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cryptbase.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cryptbase.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cryptdll.dll id: 6409001b-9395-48a3-4833-5b9ff8362190 status: experimental description: Detects possible DLL hijacking of cryptdll.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cryptdll.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cryptdll.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cryptsp.dll id: 2843041b-2028-48a3-1241-5b9ff8669152 status: experimental description: Detects possible DLL hijacking of cryptsp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cryptsp.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cryptsp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cryptui.dll id: 1397951b-9395-48a3-4833-5b9ff8375484 status: experimental description: Detects possible DLL hijacking of cryptui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cryptui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cryptui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cryptxml.dll id: 4433931b-9395-48a3-4833-5b9ff8581863 status: experimental description: Detects possible DLL hijacking of cryptxml.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cryptxml.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cryptxml.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cscapi.dll id: 6635271b-9395-48a3-4833-5b9ff8543091 status: experimental description: Detects possible DLL hijacking of cscapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cscapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cscapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cscobj.dll id: 4910871b-2897-48a3-6541-5b9ff8780619 status: experimental description: Detects possible DLL hijacking of cscobj.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cscobj.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cscobj.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of cscui.dll id: 7447111b-2897-48a3-6541-5b9ff8230164 status: experimental description: Detects possible DLL hijacking of cscui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/cscui.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\cscui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of d2d1.dll id: 5931671b-9395-48a3-4833-5b9ff8110157 status: experimental description: Detects possible DLL hijacking of d2d1.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d2d1.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\d2d1.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of d3d10.dll id: 7231501b-9395-48a3-4833-5b9ff8901798 status: experimental description: Detects possible DLL hijacking of d3d10.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d10.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\d3d10.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of d3d10_1.dll id: 3305521b-9395-48a3-4833-5b9ff8639490 status: experimental description: Detects possible DLL hijacking of d3d10_1.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d10_1.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\d3d10_1.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of d3d10_1core.dll id: 5334921b-9395-48a3-4833-5b9ff8162909 status: experimental description: Detects possible DLL hijacking of d3d10_1core.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d10_1core.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\d3d10_1core.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of d3d10core.dll id: 9260901b-9395-48a3-4833-5b9ff8425217 status: experimental description: Detects possible DLL hijacking of d3d10core.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d10core.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\d3d10core.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of d3d10warp.dll id: 4882561b-9395-48a3-4833-5b9ff8870216 status: experimental description: Detects possible DLL hijacking of d3d10warp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d10warp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\d3d10warp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of d3d11.dll id: 3648821b-9395-48a3-4833-5b9ff8970198 status: experimental description: Detects possible DLL hijacking of d3d11.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d11.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\d3d11.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of d3d12.dll id: 5543691b-9395-48a3-4833-5b9ff8102542 status: experimental description: Detects possible DLL hijacking of d3d12.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d12.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\d3d12.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of d3d9.dll id: 8213181b-9395-48a3-4833-5b9ff8691183 status: experimental description: Detects possible DLL hijacking of d3d9.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3d9.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\d3d9.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of d3dcompiler_47.dll id: 4206841b-9395-48a3-4833-5b9ff8530571 status: experimental description: Detects possible DLL hijacking of d3dcompiler_47.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3dcompiler_47.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\d3dcompiler_47.dll' filter: ImageLoaded: - 'c:\program files\windows kits\10\bin\*\x64\*' - 'c:\program files (x86)\windows kits\10\bin\*\x64\*' - 'c:\program files\windows kits\10\bin\*\x86\*' - 'c:\program files (x86)\windows kits\10\bin\*\x86\*' - 'c:\program files\windows kits\10\redist\d3d\x64\*' - 'c:\program files (x86)\windows kits\10\redist\d3d\x64\*' - 'c:\program files\windows kits\10\redist\d3d\x86\*' - 'c:\program files (x86)\windows kits\10\redist\d3d\x86\*' - 'c:\program files\wireshark\*' - 'c:\program files (x86)\wireshark\*' - 'c:\program files\cisco systems\cisco jabber\*' - 'c:\program files (x86)\cisco systems\cisco jabber\*' - 'c:\program files\microsoft\edge\application\*\*' - 'c:\program files (x86)\microsoft\edge\application\*\*' - 'c:\program files\Google\Chrome\Application\*\*' - 'c:\program files (x86)\Google\Chrome\Application\*\*' - 'c:\users\*\appdata\local\microsoft\teams\stage\*' - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of d3dx9_43.dll id: 7675061b-8028-48a3-7945-5b9ff8245014 status: experimental description: Detects possible DLL hijacking of d3dx9_43.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/d3dx9_43.html author: "Wietze Beukema" date: 2023-05-03 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\d3dx9_43.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dataexchange.dll id: 3976841b-2897-48a3-6541-5b9ff8191828 status: experimental description: Detects possible DLL hijacking of dataexchange.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dataexchange.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dataexchange.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of davclnt.dll id: 9202761b-2897-48a3-6541-5b9ff8342534 status: experimental description: Detects possible DLL hijacking of davclnt.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/davclnt.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\davclnt.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dbgcore.dll id: 3986661b-9395-48a3-4833-5b9ff8671231 status: experimental description: Detects possible DLL hijacking of dbgcore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dbgcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dbgcore.dll' filter: ImageLoaded: - 'c:\program files\windows kits\10\debuggers\arm\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm\*' - 'c:\program files\windows kits\10\debuggers\arm\srcsrv\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm\srcsrv\*' - 'c:\program files\windows kits\10\debuggers\arm64\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm64\*' - 'c:\program files\windows kits\10\debuggers\arm64\srcsrv\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm64\srcsrv\*' - 'c:\program files\windows kits\10\debuggers\x64\*' - 'c:\program files (x86)\windows kits\10\debuggers\x64\*' - 'c:\program files\windows kits\10\debuggers\x64\srcsrv\*' - 'c:\program files (x86)\windows kits\10\debuggers\x64\srcsrv\*' - 'c:\program files\windows kits\10\debuggers\x86\*' - 'c:\program files (x86)\windows kits\10\debuggers\x86\*' - 'c:\program files\windows kits\10\debuggers\x86\srcsrv\*' - 'c:\program files (x86)\windows kits\10\debuggers\x86\srcsrv\*' - 'c:\program files\microsoft office\root\office*\*' - 'c:\program files (x86)\microsoft office\root\office*\*' - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dbghelp.dll id: 7256631b-9395-48a3-4833-5b9ff8211460 status: experimental description: Detects possible DLL hijacking of dbghelp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dbghelp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dbghelp.dll' filter: ImageLoaded: - 'c:\program files\windows kits\10\debuggers\arm\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm\*' - 'c:\program files\windows kits\10\debuggers\arm\srcsrv\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm\srcsrv\*' - 'c:\program files\windows kits\10\debuggers\arm64\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm64\*' - 'c:\program files\windows kits\10\debuggers\arm64\srcsrv\*' - 'c:\program files (x86)\windows kits\10\debuggers\arm64\srcsrv\*' - 'c:\program files\windows kits\10\debuggers\x64\*' - 'c:\program files (x86)\windows kits\10\debuggers\x64\*' - 'c:\program files\windows kits\10\debuggers\x64\srcsrv\*' - 'c:\program files (x86)\windows kits\10\debuggers\x64\srcsrv\*' - 'c:\program files\windows kits\10\debuggers\x86\*' - 'c:\program files (x86)\windows kits\10\debuggers\x86\*' - 'c:\program files\windows kits\10\debuggers\x86\srcsrv\*' - 'c:\program files (x86)\windows kits\10\debuggers\x86\srcsrv\*' - 'c:\program files\cisco systems\cisco jabber\*' - 'c:\program files (x86)\cisco systems\cisco jabber\*' - 'c:\program files\microsoft office\root\office*\*' - 'c:\program files (x86)\microsoft office\root\office*\*' - 'c:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\*' - 'c:\program files (x86)\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\*' - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dbgmodel.dll id: 1149381b-2811-48a3-1599-5b9ff8991076 status: experimental description: Detects possible DLL hijacking of dbgmodel.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dbgmodel.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' - 'c:\program files\Windows Kits\10\Debuggers\*\*' - 'c:\program files (x86)\Windows Kits\10\Debuggers\*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dcntel.dll id: 8030551b-9395-48a3-4833-5b9ff8110108 status: experimental description: Detects possible DLL hijacking of dcntel.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dcntel.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dcntel.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dcomp.dll id: 5237441b-9395-48a3-4833-5b9ff8380347 status: experimental description: Detects possible DLL hijacking of dcomp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dcomp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dcomp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of defragproxy.dll id: 3280331b-2897-48a3-6541-5b9ff8912656 status: experimental description: Detects possible DLL hijacking of defragproxy.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/defragproxy.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\defragproxy.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of desktopshellext.dll id: 7748221b-2897-48a3-6541-5b9ff8161828 status: experimental description: Detects possible DLL hijacking of desktopshellext.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/desktopshellext.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\desktopshellext.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of deviceassociation.dll id: 9855841b-9395-48a3-4833-5b9ff8471968 status: experimental description: Detects possible DLL hijacking of deviceassociation.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/deviceassociation.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\deviceassociation.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of devicecredential.dll id: 2311881b-9395-48a3-4833-5b9ff8413673 status: experimental description: Detects possible DLL hijacking of devicecredential.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/devicecredential.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\devicecredential.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of devicepairing.dll id: 7879041b-2897-48a3-6541-5b9ff8260424 status: experimental description: Detects possible DLL hijacking of devicepairing.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/devicepairing.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\devicepairing.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of devobj.dll id: 8682071b-9395-48a3-4833-5b9ff8213828 status: experimental description: Detects possible DLL hijacking of devobj.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/devobj.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\devobj.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of devrtl.dll id: 9963881b-9395-48a3-4833-5b9ff8275661 status: experimental description: Detects possible DLL hijacking of devrtl.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/devrtl.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\devrtl.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dhcpcmonitor.dll id: 9436531b-9395-48a3-4833-5b9ff8729785 status: experimental description: Detects possible DLL hijacking of dhcpcmonitor.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dhcpcmonitor.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dhcpcmonitor.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dhcpcsvc.dll id: 5762871b-9395-48a3-4833-5b9ff8822380 status: experimental description: Detects possible DLL hijacking of dhcpcsvc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dhcpcsvc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dhcpcsvc.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dhcpcsvc6.dll id: 4765141b-9395-48a3-4833-5b9ff8354004 status: experimental description: Detects possible DLL hijacking of dhcpcsvc6.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dhcpcsvc6.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dhcpcsvc6.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of directmanipulation.dll id: 5855901b-3713-48a3-9900-5b9ff8898085 status: experimental description: Detects possible DLL hijacking of directmanipulation.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/directmanipulation.html author: "Wietze Beukema" date: 2022-08-14 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\directmanipulation.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dismapi.dll id: 4578091b-9395-48a3-4833-5b9ff8120334 status: experimental description: Detects possible DLL hijacking of dismapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dismapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dismapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dismcore.dll id: 6725211b-5805-48a3-6769-5b9ff8788742 status: experimental description: Detects possible DLL hijacking of dismcore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dismcore.html author: "Wietze Beukema" date: 2021-02-28 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dismcore.dll' filter: ImageLoaded: - 'c:\windows\system32\dism\*' - 'c:\windows\syswow64\dism\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dmcfgutils.dll id: 4315001b-9395-48a3-4833-5b9ff8447004 status: experimental description: Detects possible DLL hijacking of dmcfgutils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmcfgutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dmcfgutils.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dmcmnutils.dll id: 7101171b-9395-48a3-4833-5b9ff8856627 status: experimental description: Detects possible DLL hijacking of dmcmnutils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmcmnutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dmcmnutils.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dmcommandlineutils.dll id: 7692221b-7437-48a3-2115-5b9ff8410370 status: experimental description: Detects possible DLL hijacking of dmcommandlineutils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmcommandlineutils.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dmcommandlineutils.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dmenrollengine.dll id: 2833241b-9395-48a3-4833-5b9ff8631937 status: experimental description: Detects possible DLL hijacking of dmenrollengine.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmenrollengine.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dmenrollengine.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dmenterprisediagnostics.dll id: 6398361b-9395-48a3-4833-5b9ff8265899 status: experimental description: Detects possible DLL hijacking of dmenterprisediagnostics.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmenterprisediagnostics.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dmenterprisediagnostics.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dmiso8601utils.dll id: 1237531b-9395-48a3-4833-5b9ff8860726 status: experimental description: Detects possible DLL hijacking of dmiso8601utils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmiso8601utils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dmiso8601utils.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dmoleaututils.dll id: 2300381b-9395-48a3-4833-5b9ff8409411 status: experimental description: Detects possible DLL hijacking of dmoleaututils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmoleaututils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dmoleaututils.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dmprocessxmlfiltered.dll id: 4632911b-9395-48a3-4833-5b9ff8323781 status: experimental description: Detects possible DLL hijacking of dmprocessxmlfiltered.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmprocessxmlfiltered.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dmprocessxmlfiltered.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dmpushproxy.dll id: 5175911b-9395-48a3-4833-5b9ff8172848 status: experimental description: Detects possible DLL hijacking of dmpushproxy.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmpushproxy.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dmpushproxy.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dmxmlhelputils.dll id: 8575151b-9395-48a3-4833-5b9ff8562376 status: experimental description: Detects possible DLL hijacking of dmxmlhelputils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dmxmlhelputils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dmxmlhelputils.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dnsapi.dll id: 1569141b-9395-48a3-4833-5b9ff8108668 status: experimental description: Detects possible DLL hijacking of dnsapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dnsapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dnsapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dot3api.dll id: 8362961b-9395-48a3-4833-5b9ff8109650 status: experimental description: Detects possible DLL hijacking of dot3api.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dot3api.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dot3api.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dot3cfg.dll id: 4314991b-9395-48a3-4833-5b9ff8437609 status: experimental description: Detects possible DLL hijacking of dot3cfg.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dot3cfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dot3cfg.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dpx.dll id: 3902171b-9395-48a3-4833-5b9ff8492788 status: experimental description: Detects possible DLL hijacking of dpx.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dpx.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dpx.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of drprov.dll id: 9503921b-2897-48a3-6541-5b9ff8288683 status: experimental description: Detects possible DLL hijacking of drprov.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/drprov.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\drprov.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of drvstore.dll id: 6411321b-7437-48a3-2115-5b9ff8903981 status: experimental description: Detects possible DLL hijacking of drvstore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/drvstore.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\drvstore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dsclient.dll id: 6179271b-9395-48a3-4833-5b9ff8530615 status: experimental description: Detects possible DLL hijacking of dsclient.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dsclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dsclient.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dsparse.dll id: 6615071b-9395-48a3-4833-5b9ff8465170 status: experimental description: Detects possible DLL hijacking of dsparse.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dsparse.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dsparse.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dsprop.dll id: 1827781b-2028-48a3-1241-5b9ff8874195 status: experimental description: Detects possible DLL hijacking of dsprop.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dsprop.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dsprop.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dsreg.dll id: 6792491b-9395-48a3-4833-5b9ff8651445 status: experimental description: Detects possible DLL hijacking of dsreg.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dsreg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dsreg.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dsrole.dll id: 9078061b-9395-48a3-4833-5b9ff8546846 status: experimental description: Detects possible DLL hijacking of dsrole.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dsrole.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dsrole.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dui70.dll id: 2217051b-9395-48a3-4833-5b9ff8420789 status: experimental description: Detects possible DLL hijacking of dui70.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dui70.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dui70.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of duser.dll id: 2328901b-9395-48a3-4833-5b9ff8203981 status: experimental description: Detects possible DLL hijacking of duser.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/duser.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\duser.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dusmapi.dll id: 1329851b-9395-48a3-4833-5b9ff8295463 status: experimental description: Detects possible DLL hijacking of dusmapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dusmapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dusmapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dwmapi.dll id: 2798411b-9395-48a3-4833-5b9ff8309116 status: experimental description: Detects possible DLL hijacking of dwmapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dwmapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dwmapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dwmcore.dll id: 4981431b-9395-48a3-4833-5b9ff8158685 status: experimental description: Detects possible DLL hijacking of dwmcore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dwmcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dwmcore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dwrite.dll id: 6528591b-9395-48a3-4833-5b9ff8217120 status: experimental description: Detects possible DLL hijacking of dwrite.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dwrite.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dwrite.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dxcore.dll id: 8833021b-7437-48a3-2115-5b9ff8124273 status: experimental description: Detects possible DLL hijacking of dxcore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dxcore.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dxcore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dxgi.dll id: 3010001b-9395-48a3-4833-5b9ff8198142 status: experimental description: Detects possible DLL hijacking of dxgi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dxgi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dxgi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dxva2.dll id: 2453841b-9395-48a3-4833-5b9ff8585241 status: experimental description: Detects possible DLL hijacking of dxva2.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dxva2.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dxva2.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dynamoapi.dll id: 5174911b-9395-48a3-4833-5b9ff8133347 status: experimental description: Detects possible DLL hijacking of dynamoapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/dynamoapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dynamoapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of eappcfg.dll id: 6614821b-9395-48a3-4833-5b9ff8230295 status: experimental description: Detects possible DLL hijacking of eappcfg.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/eappcfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\eappcfg.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of eappprxy.dll id: 9359381b-9395-48a3-4833-5b9ff8247280 status: experimental description: Detects possible DLL hijacking of eappprxy.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/eappprxy.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\eappprxy.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of edgeiso.dll id: 3554481b-7437-48a3-2115-5b9ff8269713 status: experimental description: Detects possible DLL hijacking of edgeiso.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/edgeiso.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\edgeiso.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of edputil.dll id: 6856631b-9395-48a3-4833-5b9ff8611042 status: experimental description: Detects possible DLL hijacking of edputil.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/edputil.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\edputil.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of efsadu.dll id: 9895721b-9395-48a3-4833-5b9ff8139270 status: experimental description: Detects possible DLL hijacking of efsadu.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/efsadu.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\efsadu.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of efsutil.dll id: 1016901b-9395-48a3-4833-5b9ff8578611 status: experimental description: Detects possible DLL hijacking of efsutil.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/efsutil.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\efsutil.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of esent.dll id: 8403011b-9395-48a3-4833-5b9ff8836666 status: experimental description: Detects possible DLL hijacking of esent.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/esent.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\esent.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of execmodelproxy.dll id: 3069481b-2897-48a3-6541-5b9ff8129344 status: experimental description: Detects possible DLL hijacking of execmodelproxy.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/execmodelproxy.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\execmodelproxy.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of explorerframe.dll id: 6152011b-2897-48a3-6541-5b9ff8339277 status: experimental description: Detects possible DLL hijacking of explorerframe.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/explorerframe.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\explorerframe.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fastprox.dll id: 1209541b-2897-48a3-6541-5b9ff8404127 status: experimental description: Detects possible DLL hijacking of fastprox.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fastprox.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fastprox.dll' filter: ImageLoaded: - 'c:\windows\system32\wbem\*' - 'c:\windows\syswow64\wbem\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of faultrep.dll id: 4150201b-9395-48a3-4833-5b9ff8417232 status: experimental description: Detects possible DLL hijacking of faultrep.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/faultrep.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\faultrep.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fddevquery.dll id: 2032171b-2897-48a3-6541-5b9ff8220303 status: experimental description: Detects possible DLL hijacking of fddevquery.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fddevquery.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fddevquery.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of feclient.dll id: 2125071b-9395-48a3-4833-5b9ff8405483 status: experimental description: Detects possible DLL hijacking of feclient.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/feclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\feclient.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fhcfg.dll id: 4670021b-2897-48a3-6541-5b9ff8306297 status: experimental description: Detects possible DLL hijacking of fhcfg.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fhcfg.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fhcfg.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fhsvcctl.dll id: 8416711b-9395-48a3-4833-5b9ff8207831 status: experimental description: Detects possible DLL hijacking of fhsvcctl.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fhsvcctl.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fhsvcctl.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of firewallapi.dll id: 1091481b-9395-48a3-4833-5b9ff8446599 status: experimental description: Detects possible DLL hijacking of firewallapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/firewallapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\firewallapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of flightsettings.dll id: 4727241b-2897-48a3-6541-5b9ff8682949 status: experimental description: Detects possible DLL hijacking of flightsettings.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/flightsettings.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\flightsettings.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fltlib.dll id: 5167541b-9395-48a3-4833-5b9ff8409224 status: experimental description: Detects possible DLL hijacking of fltlib.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fltlib.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fltlib.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of framedynos.dll id: 3078281b-2028-48a3-1241-5b9ff8675877 status: experimental description: Detects possible DLL hijacking of framedynos.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/framedynos.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\framedynos.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fveapi.dll id: 5417731b-9395-48a3-4833-5b9ff8562990 status: experimental description: Detects possible DLL hijacking of fveapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fveapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fveapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fveskybackup.dll id: 2269371b-2028-48a3-1241-5b9ff8428747 status: experimental description: Detects possible DLL hijacking of fveskybackup.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fveskybackup.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fveskybackup.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fvewiz.dll id: 5167581b-2028-48a3-1241-5b9ff8486388 status: experimental description: Detects possible DLL hijacking of fvewiz.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fvewiz.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fvewiz.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fwbase.dll id: 2178701b-9395-48a3-4833-5b9ff8390924 status: experimental description: Detects possible DLL hijacking of fwbase.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fwbase.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fwbase.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fwcfg.dll id: 3218181b-9395-48a3-4833-5b9ff8483469 status: experimental description: Detects possible DLL hijacking of fwcfg.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fwcfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fwcfg.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fwpolicyiomgr.dll id: 1957181b-9395-48a3-4833-5b9ff8172653 status: experimental description: Detects possible DLL hijacking of fwpolicyiomgr.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fwpolicyiomgr.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fwpolicyiomgr.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fwpuclnt.dll id: 7259711b-9395-48a3-4833-5b9ff8405123 status: experimental description: Detects possible DLL hijacking of fwpuclnt.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fwpuclnt.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fwpuclnt.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fxsapi.dll id: 6908811b-9395-48a3-4833-5b9ff8134207 status: experimental description: Detects possible DLL hijacking of fxsapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fxsapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fxsapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\system32\driverstore\filerepository\prnms002.inf_*\amd64\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fxsst.dll id: 3970841b-9395-48a3-4833-5b9ff8208325 status: experimental description: Detects possible DLL hijacking of fxsst.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fxsst.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fxsst.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of fxstiff.dll id: 3206571b-9395-48a3-4833-5b9ff8375862 status: experimental description: Detects possible DLL hijacking of fxstiff.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/fxstiff.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\fxstiff.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\system32\driverstore\filerepository\prnms002.inf_*\amd64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of getuname.dll id: 5568751b-9395-48a3-4833-5b9ff8246438 status: experimental description: Detects possible DLL hijacking of getuname.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/getuname.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\getuname.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of gpapi.dll id: 9896981b-2028-48a3-1241-5b9ff8209774 status: experimental description: Detects possible DLL hijacking of gpapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/gpapi.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\gpapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of hid.dll id: 6846081b-9395-48a3-4833-5b9ff8599306 status: experimental description: Detects possible DLL hijacking of hid.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/hid.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\hid.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of hnetmon.dll id: 3471721b-9395-48a3-4833-5b9ff8184564 status: experimental description: Detects possible DLL hijacking of hnetmon.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/hnetmon.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\hnetmon.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of httpapi.dll id: 6146261b-9395-48a3-4833-5b9ff8117686 status: experimental description: Detects possible DLL hijacking of httpapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/httpapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\httpapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of icmp.dll id: 8888661b-7437-48a3-2115-5b9ff8103787 status: experimental description: Detects possible DLL hijacking of icmp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/icmp.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\icmp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of idstore.dll id: 7442221b-2897-48a3-6541-5b9ff8613529 status: experimental description: Detects possible DLL hijacking of idstore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/idstore.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\idstore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ieadvpack.dll id: 4836071b-9395-48a3-4833-5b9ff8392813 status: experimental description: Detects possible DLL hijacking of ieadvpack.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ieadvpack.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ieadvpack.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of iedkcs32.dll id: 1841571b-9395-48a3-4833-5b9ff8456937 status: experimental description: Detects possible DLL hijacking of iedkcs32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iedkcs32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\iedkcs32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of iernonce.dll id: 8055051b-8657-48a3-9976-5b9ff8164533 status: experimental description: Detects possible DLL hijacking of iernonce.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iernonce.html author: "Wietze Beukema" date: 2024-01-11 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\iernonce.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of iertutil.dll id: 9799891b-9395-48a3-4833-5b9ff8106885 status: experimental description: Detects possible DLL hijacking of iertutil.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iertutil.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\iertutil.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ifmon.dll id: 3414861b-9395-48a3-4833-5b9ff8764534 status: experimental description: Detects possible DLL hijacking of ifmon.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ifmon.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ifmon.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ifsutil.dll id: 5896391b-2028-48a3-1241-5b9ff8689220 status: experimental description: Detects possible DLL hijacking of ifsutil.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ifsutil.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ifsutil.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of inproclogger.dll id: 6833741b-9395-48a3-4833-5b9ff8705863 status: experimental description: Detects possible DLL hijacking of inproclogger.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/inproclogger.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\inproclogger.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of iphlpapi.dll id: 8022121b-9395-48a3-4833-5b9ff8290114 status: experimental description: Detects possible DLL hijacking of iphlpapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iphlpapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.001 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\iphlpapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of iri.dll id: 8237041b-9395-48a3-4833-5b9ff8607678 status: experimental description: Detects possible DLL hijacking of iri.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iri.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\iri.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of iscsidsc.dll id: 9216591b-9395-48a3-4833-5b9ff8195926 status: experimental description: Detects possible DLL hijacking of iscsidsc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iscsidsc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\iscsidsc.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of iscsiexe.dll id: 9451791b-9943-48a3-1235-5b9ff8225239 status: experimental description: Detects possible DLL hijacking of iscsiexe.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iscsiexe.html author: "Wietze Beukema" date: 2023-05-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\iscsiexe.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of iscsium.dll id: 4878471b-9395-48a3-4833-5b9ff8627657 status: experimental description: Detects possible DLL hijacking of iscsium.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iscsium.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\iscsium.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of isv.exe_rsaenh.dll id: 2823561b-2897-48a3-6541-5b9ff8886240 status: experimental description: Detects possible DLL hijacking of isv.exe_rsaenh.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/isv.exe_rsaenh.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\isv.exe_rsaenh.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of iumbase.dll id: 4934851b-9395-48a3-4833-5b9ff8496726 status: experimental description: Detects possible DLL hijacking of iumbase.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iumbase.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\iumbase.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of iumsdk.dll id: 5717571b-2028-48a3-1241-5b9ff8424484 status: experimental description: Detects possible DLL hijacking of iumsdk.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/iumsdk.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\iumsdk.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of joinutil.dll id: 4591101b-9395-48a3-4833-5b9ff8643242 status: experimental description: Detects possible DLL hijacking of joinutil.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/joinutil.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\joinutil.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of kdstub.dll id: 5724121b-9395-48a3-4833-5b9ff8416715 status: experimental description: Detects possible DLL hijacking of kdstub.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/kdstub.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\kdstub.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ksuser.dll id: 3683681b-9395-48a3-4833-5b9ff8421205 status: experimental description: Detects possible DLL hijacking of ksuser.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ksuser.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ksuser.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ktmw32.dll id: 5862131b-9395-48a3-4833-5b9ff8477254 status: experimental description: Detects possible DLL hijacking of ktmw32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ktmw32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ktmw32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of licensemanagerapi.dll id: 8594651b-9395-48a3-4833-5b9ff8882646 status: experimental description: Detects possible DLL hijacking of licensemanagerapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/licensemanagerapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\licensemanagerapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of licensingdiagspp.dll id: 5430351b-2897-48a3-6541-5b9ff8974142 status: experimental description: Detects possible DLL hijacking of licensingdiagspp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/licensingdiagspp.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\licensingdiagspp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of linkinfo.dll id: 2001401b-9395-48a3-4833-5b9ff8317389 status: experimental description: Detects possible DLL hijacking of linkinfo.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/linkinfo.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\linkinfo.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of loadperf.dll id: 2982231b-9395-48a3-4833-5b9ff8208198 status: experimental description: Detects possible DLL hijacking of loadperf.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/loadperf.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\loadperf.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of lockhostingframework.dll id: 5122861b-7437-48a3-2115-5b9ff8275215 status: experimental description: Detects possible DLL hijacking of lockhostingframework.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/lockhostingframework.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\lockhostingframework.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of logoncli.dll id: 6980411b-9395-48a3-4833-5b9ff8802481 status: experimental description: Detects possible DLL hijacking of logoncli.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/logoncli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\logoncli.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of logoncontroller.dll id: 5806961b-2897-48a3-6541-5b9ff8278181 status: experimental description: Detects possible DLL hijacking of logoncontroller.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/logoncontroller.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\logoncontroller.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of lpksetupproxyserv.dll id: 6072271b-2897-48a3-6541-5b9ff8638573 status: experimental description: Detects possible DLL hijacking of lpksetupproxyserv.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/lpksetupproxyserv.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\lpksetupproxyserv.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of lrwizdll.dll id: 4952171b-7437-48a3-2115-5b9ff8232921 status: experimental description: Detects possible DLL hijacking of lrwizdll.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/lrwizdll.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\lrwizdll.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of magnification.dll id: 2872261b-9395-48a3-4833-5b9ff8391268 status: experimental description: Detects possible DLL hijacking of magnification.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/magnification.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\magnification.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of maintenanceui.dll id: 4682161b-9395-48a3-4833-5b9ff8694207 status: experimental description: Detects possible DLL hijacking of maintenanceui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/maintenanceui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\maintenanceui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mapistub.dll id: 5726671b-9395-48a3-4833-5b9ff8112443 status: experimental description: Detects possible DLL hijacking of mapistub.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mapistub.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mapistub.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mbaexmlparser.dll id: 9687191b-7437-48a3-2115-5b9ff8871207 status: experimental description: Detects possible DLL hijacking of mbaexmlparser.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mbaexmlparser.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mbaexmlparser.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mdmdiagnostics.dll id: 4508101b-9395-48a3-4833-5b9ff8964655 status: experimental description: Detects possible DLL hijacking of mdmdiagnostics.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mdmdiagnostics.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mdmdiagnostics.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mfc42u.dll id: 6481581b-2028-48a3-1241-5b9ff8565884 status: experimental description: Detects possible DLL hijacking of mfc42u.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mfc42u.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mfc42u.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mfcore.dll id: 3688631b-9395-48a3-4833-5b9ff8571735 status: experimental description: Detects possible DLL hijacking of mfcore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mfcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mfcore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mfplat.dll id: 4567291b-9395-48a3-4833-5b9ff8773722 status: experimental description: Detects possible DLL hijacking of mfplat.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mfplat.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mfplat.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mi.dll id: 2438451b-9395-48a3-4833-5b9ff8526320 status: experimental description: Detects possible DLL hijacking of mi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of microsoft.ui.xaml.xamltypeinfo.dll id: 3584231b-7740-48a3-2257-5b9ff8497102 status: experimental description: Detects possible DLL hijacking of microsoft.ui.xaml.xamltypeinfo.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/microsoft.ui.xaml.xamltypeinfo.html author: "Wietze Beukema" date: 2023-04-03 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\microsoft.ui.xaml.xamltypeinfo.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of midimap.dll id: 8023581b-9395-48a3-4833-5b9ff8761785 status: experimental description: Detects possible DLL hijacking of midimap.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/midimap.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\midimap.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mintdh.dll id: 5785241b-9395-48a3-4833-5b9ff8239019 status: experimental description: Detects possible DLL hijacking of mintdh.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mintdh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mintdh.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of miutils.dll id: 4372051b-9395-48a3-4833-5b9ff8945538 status: experimental description: Detects possible DLL hijacking of miutils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/miutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\miutils.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mlang.dll id: 7322741b-9395-48a3-4833-5b9ff8221874 status: experimental description: Detects possible DLL hijacking of mlang.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mlang.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mlang.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mmdevapi.dll id: 9558471b-9395-48a3-4833-5b9ff8992542 status: experimental description: Detects possible DLL hijacking of mmdevapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mmdevapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mmdevapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mobilenetworking.dll id: 9171711b-9395-48a3-4833-5b9ff8331119 status: experimental description: Detects possible DLL hijacking of mobilenetworking.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mobilenetworking.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mobilenetworking.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mpclient.dll id: 9533391b-5388-48a3-9769-5b9ff8396239 status: experimental description: Detects possible DLL hijacking of mpclient.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mpclient.html author: "Wietze Beukema" date: 2022-08-01 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mpclient.dll' filter: ImageLoaded: - 'c:\program files\Windows Defender\*' - 'c:\program files (x86)\Windows Defender\*' - 'c:\programdata\Microsoft\Windows Defender\Platform\*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mpr.dll id: 9888071b-2897-48a3-6541-5b9ff8877061 status: experimental description: Detects possible DLL hijacking of mpr.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mpr.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mpr.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mprapi.dll id: 9799431b-9395-48a3-4833-5b9ff8574714 status: experimental description: Detects possible DLL hijacking of mprapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mprapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mprapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mpsvc.dll id: 9492751b-1313-48a3-6160-5b9ff8899459 status: experimental description: Detects possible DLL hijacking of mpsvc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html author: "Wietze Beukema" date: 2021-12-07 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mpsvc.dll' filter: ImageLoaded: - 'c:\programdata\Microsoft\Windows Defender\Platform\*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mrmcorer.dll id: 8933341b-9395-48a3-4833-5b9ff8482255 status: experimental description: Detects possible DLL hijacking of mrmcorer.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mrmcorer.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mrmcorer.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msacm32.dll id: 3369641b-9395-48a3-4833-5b9ff8580297 status: experimental description: Detects possible DLL hijacking of msacm32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msacm32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msacm32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mscms.dll id: 1778041b-9395-48a3-4833-5b9ff8170436 status: experimental description: Detects possible DLL hijacking of mscms.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mscms.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mscms.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mscoree.dll id: 4677681b-9395-48a3-4833-5b9ff8985242 status: experimental description: Detects possible DLL hijacking of mscoree.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mscoree.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mscoree.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mscorsvc.dll id: 4602001b-4150-48a3-8413-5b9ff8132122 status: experimental description: Detects possible DLL hijacking of mscorsvc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mscorsvc.dll' filter: ImageLoaded: - 'c:\windows\Microsoft.NET\Framework\v*\*' - 'c:\windows\Microsoft.NET\Framework64\v*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msctf.dll id: 7893481b-2897-48a3-6541-5b9ff8843696 status: experimental description: Detects possible DLL hijacking of msctf.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msctf.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msctf.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msctfmonitor.dll id: 5674011b-9395-48a3-4833-5b9ff8138318 status: experimental description: Detects possible DLL hijacking of msctfmonitor.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msctfmonitor.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msctfmonitor.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msdrm.dll id: 5775841b-9395-48a3-4833-5b9ff8407709 status: experimental description: Detects possible DLL hijacking of msdrm.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msdrm.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msdrm.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msdtctm.dll id: 4236131b-9395-48a3-4833-5b9ff8148557 status: experimental description: Detects possible DLL hijacking of msdtctm.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msdtctm.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msdtctm.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msftedit.dll id: 4461591b-9395-48a3-4833-5b9ff8468462 status: experimental description: Detects possible DLL hijacking of msftedit.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msftedit.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msftedit.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msi.dll id: 7601441b-9395-48a3-4833-5b9ff8160815 status: experimental description: Detects possible DLL hijacking of msi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msiso.dll id: 4875421b-2028-48a3-1241-5b9ff8636274 status: experimental description: Detects possible DLL hijacking of msiso.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msiso.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msiso.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mstracer.dll id: 2382211b-6722-48a3-2305-5b9ff8323341 status: experimental description: Detects possible DLL hijacking of mstracer.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mstracer.html author: "Wietze Beukema" date: 2021-12-08 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mstracer.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msutb.dll id: 5880291b-9395-48a3-4833-5b9ff8438593 status: experimental description: Detects possible DLL hijacking of msutb.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msutb.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msutb.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msvcp110_win.dll id: 6028651b-2028-48a3-1241-5b9ff8511578 status: experimental description: Detects possible DLL hijacking of msvcp110_win.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msvcp110_win.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msvcp110_win.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msvcr100.dll id: 9408691b-2326-48a3-2877-5b9ff8663725 status: experimental description: Detects possible DLL hijacking of msvcr100.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msvcr100.html author: "Wietze Beukema" date: 2022-09-26 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msvcr100.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mswb7.dll id: 7172101b-2897-48a3-6541-5b9ff8659678 status: experimental description: Detects possible DLL hijacking of mswb7.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mswb7.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mswb7.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mswsock.dll id: 1980311b-2897-48a3-6541-5b9ff8496444 status: experimental description: Detects possible DLL hijacking of mswsock.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mswsock.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mswsock.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of msxml3.dll id: 8921941b-2897-48a3-6541-5b9ff8888889 status: experimental description: Detects possible DLL hijacking of msxml3.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/msxml3.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\msxml3.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of mtxclu.dll id: 4477141b-9395-48a3-4833-5b9ff8677703 status: experimental description: Detects possible DLL hijacking of mtxclu.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/mtxclu.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\mtxclu.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of napinsp.dll id: 9038111b-2897-48a3-6541-5b9ff8343376 status: experimental description: Detects possible DLL hijacking of napinsp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/napinsp.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\napinsp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ncrypt.dll id: 8195021b-2897-48a3-6541-5b9ff8899931 status: experimental description: Detects possible DLL hijacking of ncrypt.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ncrypt.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ncrypt.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ndfapi.dll id: 6612641b-9395-48a3-4833-5b9ff8882182 status: experimental description: Detects possible DLL hijacking of ndfapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ndfapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ndfapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of netapi32.dll id: 2953081b-2028-48a3-1241-5b9ff8485289 status: experimental description: Detects possible DLL hijacking of netapi32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netapi32.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\netapi32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of netid.dll id: 5323451b-9395-48a3-4833-5b9ff8186832 status: experimental description: Detects possible DLL hijacking of netid.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netid.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\netid.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of netiohlp.dll id: 8644651b-9395-48a3-4833-5b9ff8157699 status: experimental description: Detects possible DLL hijacking of netiohlp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netiohlp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\netiohlp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of netjoin.dll id: 4164141b-7437-48a3-2115-5b9ff8974358 status: experimental description: Detects possible DLL hijacking of netjoin.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netjoin.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\netjoin.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of netplwiz.dll id: 7258321b-9395-48a3-4833-5b9ff8899216 status: experimental description: Detects possible DLL hijacking of netplwiz.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netplwiz.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\netplwiz.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of netprofm.dll id: 8642451b-2897-48a3-6541-5b9ff8920546 status: experimental description: Detects possible DLL hijacking of netprofm.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netprofm.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\netprofm.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of netprovfw.dll id: 2882371b-2028-48a3-1241-5b9ff8545285 status: experimental description: Detects possible DLL hijacking of netprovfw.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netprovfw.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\netprovfw.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of netsetupapi.dll id: 4746271b-2897-48a3-6541-5b9ff8795946 status: experimental description: Detects possible DLL hijacking of netsetupapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netsetupapi.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\netsetupapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of netshell.dll id: 5892861b-9395-48a3-4833-5b9ff8548121 status: experimental description: Detects possible DLL hijacking of netshell.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netshell.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\netshell.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of nettrace.dll id: 8579311b-9395-48a3-4833-5b9ff8870700 status: experimental description: Detects possible DLL hijacking of nettrace.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nettrace.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\nettrace.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of netutils.dll id: 8141061b-9395-48a3-4833-5b9ff8434368 status: experimental description: Detects possible DLL hijacking of netutils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/netutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\netutils.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of networkexplorer.dll id: 3761741b-2897-48a3-6541-5b9ff8877288 status: experimental description: Detects possible DLL hijacking of networkexplorer.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/networkexplorer.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\networkexplorer.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of newdev.dll id: 2481971b-9395-48a3-4833-5b9ff8913405 status: experimental description: Detects possible DLL hijacking of newdev.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/newdev.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\newdev.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ninput.dll id: 5562331b-9395-48a3-4833-5b9ff8514841 status: experimental description: Detects possible DLL hijacking of ninput.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ninput.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ninput.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of nlaapi.dll id: 4359561b-9395-48a3-4833-5b9ff8911170 status: experimental description: Detects possible DLL hijacking of nlaapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nlaapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\nlaapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of nlansp_c.dll id: 6274251b-2897-48a3-6541-5b9ff8652244 status: experimental description: Detects possible DLL hijacking of nlansp_c.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nlansp_c.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\nlansp_c.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of npmproxy.dll id: 4779591b-2897-48a3-6541-5b9ff8548761 status: experimental description: Detects possible DLL hijacking of npmproxy.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/npmproxy.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\npmproxy.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of nshhttp.dll id: 7933991b-9395-48a3-4833-5b9ff8291887 status: experimental description: Detects possible DLL hijacking of nshhttp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nshhttp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\nshhttp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of nshipsec.dll id: 4129421b-9395-48a3-4833-5b9ff8694400 status: experimental description: Detects possible DLL hijacking of nshipsec.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nshipsec.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\nshipsec.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of nshwfp.dll id: 6132851b-9395-48a3-4833-5b9ff8118977 status: experimental description: Detects possible DLL hijacking of nshwfp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/nshwfp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\nshwfp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ntdsapi.dll id: 2314551b-9395-48a3-4833-5b9ff8222141 status: experimental description: Detects possible DLL hijacking of ntdsapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ntdsapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ntdsapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ntlanman.dll id: 2754311b-2897-48a3-6541-5b9ff8624493 status: experimental description: Detects possible DLL hijacking of ntlanman.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ntlanman.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ntlanman.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ntlmshared.dll id: 5500121b-9395-48a3-4833-5b9ff8568481 status: experimental description: Detects possible DLL hijacking of ntlmshared.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ntlmshared.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ntlmshared.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ntmarta.dll id: 5456731b-3713-48a3-9900-5b9ff8286100 status: experimental description: Detects possible DLL hijacking of ntmarta.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ntmarta.html author: "Wietze Beukema" date: 2022-08-14 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ntmarta.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ntshrui.dll id: 7303341b-2897-48a3-6541-5b9ff8879948 status: experimental description: Detects possible DLL hijacking of ntshrui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ntshrui.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ntshrui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of oci.dll id: 4360571b-4908-48a3-8140-5b9ff8970133 status: experimental description: Detects possible DLL hijacking of oci.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/oci.html author: "Wietze Beukema" date: 2022-06-12 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\oci.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of oleacc.dll id: 4926791b-9395-48a3-4833-5b9ff8124348 status: experimental description: Detects possible DLL hijacking of oleacc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/oleacc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\oleacc.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of omadmapi.dll id: 8004201b-9395-48a3-4833-5b9ff8554255 status: experimental description: Detects possible DLL hijacking of omadmapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/omadmapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\omadmapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of onex.dll id: 6495401b-9395-48a3-4833-5b9ff8535080 status: experimental description: Detects possible DLL hijacking of onex.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/onex.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\onex.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of opcservices.dll id: 7156181b-7437-48a3-2115-5b9ff8456979 status: experimental description: Detects possible DLL hijacking of opcservices.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/opcservices.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\opcservices.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of osbaseln.dll id: 4838061b-9395-48a3-4833-5b9ff8462420 status: experimental description: Detects possible DLL hijacking of osbaseln.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/osbaseln.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\osbaseln.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of osksupport.dll id: 3923771b-9395-48a3-4833-5b9ff8986010 status: experimental description: Detects possible DLL hijacking of osksupport.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/osksupport.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\osksupport.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of osuninst.dll id: 1994011b-9395-48a3-4833-5b9ff8574476 status: experimental description: Detects possible DLL hijacking of osuninst.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/osuninst.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\osuninst.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of p2p.dll id: 1363061b-9395-48a3-4833-5b9ff8896292 status: experimental description: Detects possible DLL hijacking of p2p.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/p2p.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\p2p.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of p2pnetsh.dll id: 9775131b-9395-48a3-4833-5b9ff8244839 status: experimental description: Detects possible DLL hijacking of p2pnetsh.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/p2pnetsh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\p2pnetsh.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of p9np.dll id: 7018841b-2897-48a3-6541-5b9ff8360207 status: experimental description: Detects possible DLL hijacking of p9np.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/p9np.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\p9np.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of pcaui.dll id: 8818921b-9395-48a3-4833-5b9ff8984545 status: experimental description: Detects possible DLL hijacking of pcaui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/pcaui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\pcaui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of pdh.dll id: 1939331b-9395-48a3-4833-5b9ff8502559 status: experimental description: Detects possible DLL hijacking of pdh.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/pdh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\pdh.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of peerdistsh.dll id: 3482931b-9395-48a3-4833-5b9ff8816370 status: experimental description: Detects possible DLL hijacking of peerdistsh.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/peerdistsh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\peerdistsh.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of pkeyhelper.dll id: 1205471b-7437-48a3-2115-5b9ff8209035 status: experimental description: Detects possible DLL hijacking of pkeyhelper.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/pkeyhelper.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\pkeyhelper.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of pla.dll id: 2941911b-2897-48a3-6541-5b9ff8972273 status: experimental description: Detects possible DLL hijacking of pla.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/pla.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\pla.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of playsndsrv.dll id: 8132181b-7437-48a3-2115-5b9ff8908985 status: experimental description: Detects possible DLL hijacking of playsndsrv.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/playsndsrv.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\playsndsrv.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of pnrpnsp.dll id: 6771031b-2897-48a3-6541-5b9ff8569570 status: experimental description: Detects possible DLL hijacking of pnrpnsp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/pnrpnsp.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\pnrpnsp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of policymanager.dll id: 7392461b-9395-48a3-4833-5b9ff8923886 status: experimental description: Detects possible DLL hijacking of policymanager.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/policymanager.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\policymanager.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of polstore.dll id: 1956831b-9395-48a3-4833-5b9ff8743827 status: experimental description: Detects possible DLL hijacking of polstore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/polstore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\polstore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of powrprof.dll id: 1716071b-2028-48a3-1241-5b9ff8719382 status: experimental description: Detects possible DLL hijacking of powrprof.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/powrprof.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\powrprof.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of printui.dll id: 3384161b-9395-48a3-4833-5b9ff8721852 status: experimental description: Detects possible DLL hijacking of printui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/printui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\printui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of prntvpt.dll id: 4968091b-7437-48a3-2115-5b9ff8372638 status: experimental description: Detects possible DLL hijacking of prntvpt.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/prntvpt.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\prntvpt.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of profapi.dll id: 3508431b-2028-48a3-1241-5b9ff8610394 status: experimental description: Detects possible DLL hijacking of profapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/profapi.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\profapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of propsys.dll id: 8128111b-9395-48a3-4833-5b9ff8867829 status: experimental description: Detects possible DLL hijacking of propsys.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/propsys.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\propsys.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of proximitycommon.dll id: 5439991b-7437-48a3-2115-5b9ff8325058 status: experimental description: Detects possible DLL hijacking of proximitycommon.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/proximitycommon.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\proximitycommon.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of proximityservicepal.dll id: 9554351b-7437-48a3-2115-5b9ff8177990 status: experimental description: Detects possible DLL hijacking of proximityservicepal.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/proximityservicepal.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\proximityservicepal.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of prvdmofcomp.dll id: 5225471b-9395-48a3-4833-5b9ff8834519 status: experimental description: Detects possible DLL hijacking of prvdmofcomp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/prvdmofcomp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\prvdmofcomp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of puiapi.dll id: 7492781b-9395-48a3-4833-5b9ff8674631 status: experimental description: Detects possible DLL hijacking of puiapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/puiapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\puiapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of radcui.dll id: 3291591b-9395-48a3-4833-5b9ff8152241 status: experimental description: Detects possible DLL hijacking of radcui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/radcui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\radcui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rasapi32.dll id: 7029571b-9395-48a3-4833-5b9ff8188353 status: experimental description: Detects possible DLL hijacking of rasapi32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rasapi32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rasapi32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rasdlg.dll id: 5824041b-7437-48a3-2115-5b9ff8643360 status: experimental description: Detects possible DLL hijacking of rasdlg.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rasdlg.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rasdlg.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rasgcw.dll id: 1106251b-2897-48a3-6541-5b9ff8180981 status: experimental description: Detects possible DLL hijacking of rasgcw.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rasgcw.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rasgcw.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rasman.dll id: 9185721b-9395-48a3-4833-5b9ff8893528 status: experimental description: Detects possible DLL hijacking of rasman.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rasman.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rasman.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rasmontr.dll id: 4755461b-9395-48a3-4833-5b9ff8259634 status: experimental description: Detects possible DLL hijacking of rasmontr.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rasmontr.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rasmontr.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of reagent.dll id: 1644151b-9395-48a3-4833-5b9ff8380641 status: experimental description: Detects possible DLL hijacking of reagent.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/reagent.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\reagent.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of regapi.dll id: 4345611b-9395-48a3-4833-5b9ff8405131 status: experimental description: Detects possible DLL hijacking of regapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/regapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\regapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of reseteng.dll id: 3058011b-9395-48a3-4833-5b9ff8303587 status: experimental description: Detects possible DLL hijacking of reseteng.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/reseteng.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\reseteng.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of resetengine.dll id: 9661541b-9395-48a3-4833-5b9ff8626915 status: experimental description: Detects possible DLL hijacking of resetengine.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/resetengine.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\resetengine.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of resutils.dll id: 8394751b-9395-48a3-4833-5b9ff8276388 status: experimental description: Detects possible DLL hijacking of resutils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/resutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\resutils.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rjvplatform.dll id: 6261941b-5254-48a3-5583-5b9ff8626931 status: experimental description: Detects possible DLL hijacking of rjvplatform.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rjvplatform.html author: "Wietze Beukema" date: 2023-07-28 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rjvplatform.dll' filter: ImageLoaded: - 'c:\windows\system32\SystemResetPlatform\*' - 'c:\windows\syswow64\SystemResetPlatform\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rmclient.dll id: 6915861b-9395-48a3-4833-5b9ff8457689 status: experimental description: Detects possible DLL hijacking of rmclient.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rmclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rmclient.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rpcnsh.dll id: 3369511b-9395-48a3-4833-5b9ff8458162 status: experimental description: Detects possible DLL hijacking of rpcnsh.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rpcnsh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rpcnsh.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rsaenh.dll id: 3648981b-2897-48a3-6541-5b9ff8610680 status: experimental description: Detects possible DLL hijacking of rsaenh.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rsaenh.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rsaenh.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rtutils.dll id: 6944611b-9395-48a3-4833-5b9ff8468344 status: experimental description: Detects possible DLL hijacking of rtutils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rtutils.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rtutils.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rtworkq.dll id: 4188041b-9395-48a3-4833-5b9ff8867951 status: experimental description: Detects possible DLL hijacking of rtworkq.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/rtworkq.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rtworkq.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of samcli.dll id: 4075961b-9395-48a3-4833-5b9ff8868674 status: experimental description: Detects possible DLL hijacking of samcli.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/samcli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\samcli.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of samlib.dll id: 4466811b-9395-48a3-4833-5b9ff8872657 status: experimental description: Detects possible DLL hijacking of samlib.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/samlib.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\samlib.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of sapi_onecore.dll id: 5228501b-2897-48a3-6541-5b9ff8998132 status: experimental description: Detects possible DLL hijacking of sapi_onecore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sapi_onecore.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\sapi_onecore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of sas.dll id: 2951921b-9395-48a3-4833-5b9ff8531921 status: experimental description: Detects possible DLL hijacking of sas.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sas.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\sas.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of scansetting.dll id: 4223441b-9395-48a3-4833-5b9ff8826288 status: experimental description: Detects possible DLL hijacking of scansetting.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/scansetting.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\scansetting.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of scecli.dll id: 1109171b-9395-48a3-4833-5b9ff8866372 status: experimental description: Detects possible DLL hijacking of scecli.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/scecli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\scecli.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of schedcli.dll id: 5125291b-9395-48a3-4833-5b9ff8315305 status: experimental description: Detects possible DLL hijacking of schedcli.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/schedcli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\schedcli.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of secur32.dll id: 2562371b-9395-48a3-4833-5b9ff8849289 status: experimental description: Detects possible DLL hijacking of secur32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/secur32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\secur32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of security.dll id: 6494951b-7437-48a3-2115-5b9ff8999681 status: experimental description: Detects possible DLL hijacking of security.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/security.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\security.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of sensapi.dll id: 6628911b-8844-48a3-7027-5b9ff8114518 status: experimental description: Detects possible DLL hijacking of sensapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sensapi.html author: "Wietze Beukema" date: 2023-07-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\sensapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of shell32.dll id: 6437561b-2897-48a3-6541-5b9ff8263204 status: experimental description: Detects possible DLL hijacking of shell32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/shell32.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\shell32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of shellchromeapi.dll id: 8858351b-5254-48a3-5583-5b9ff8382261 status: experimental description: Detects possible DLL hijacking of shellchromeapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/shellchromeapi.html author: "Wietze Beukema" date: 2023-07-28 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\shellchromeapi.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of slc.dll id: 1700061b-9395-48a3-4833-5b9ff8708144 status: experimental description: Detects possible DLL hijacking of slc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/slc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\slc.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of snmpapi.dll id: 1126331b-9395-48a3-4833-5b9ff8788210 status: experimental description: Detects possible DLL hijacking of snmpapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/snmpapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\snmpapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of spectrumsyncclient.dll id: 8397121b-9395-48a3-4833-5b9ff8703005 status: experimental description: Detects possible DLL hijacking of spectrumsyncclient.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/spectrumsyncclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\spectrumsyncclient.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of spp.dll id: 9165161b-9395-48a3-4833-5b9ff8477387 status: experimental description: Detects possible DLL hijacking of spp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/spp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\spp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of sppc.dll id: 9555991b-9395-48a3-4833-5b9ff8462580 status: experimental description: Detects possible DLL hijacking of sppc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sppc.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\sppc.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of sppcext.dll id: 7163081b-7437-48a3-2115-5b9ff8188515 status: experimental description: Detects possible DLL hijacking of sppcext.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sppcext.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\sppcext.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of srclient.dll id: 3470371b-9395-48a3-4833-5b9ff8716237 status: experimental description: Detects possible DLL hijacking of srclient.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/srclient.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\srclient.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of srcore.dll id: 2458001b-9395-48a3-4833-5b9ff8893565 status: experimental description: Detects possible DLL hijacking of srcore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/srcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\srcore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of srmtrace.dll id: 2335271b-2028-48a3-1241-5b9ff8293282 status: experimental description: Detects possible DLL hijacking of srmtrace.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/srmtrace.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\srmtrace.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of srpapi.dll id: 6353941b-9395-48a3-4833-5b9ff8833262 status: experimental description: Detects possible DLL hijacking of srpapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/srpapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\srpapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of srvcli.dll id: 4595201b-9395-48a3-4833-5b9ff8895196 status: experimental description: Detects possible DLL hijacking of srvcli.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/srvcli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\srvcli.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ssp.exe_rsaenh.dll id: 5591741b-2897-48a3-6541-5b9ff8928877 status: experimental description: Detects possible DLL hijacking of ssp.exe_rsaenh.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ssp.exe_rsaenh.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ssp.exe_rsaenh.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ssp_isv.exe_rsaenh.dll id: 1836521b-2897-48a3-6541-5b9ff8240435 status: experimental description: Detects possible DLL hijacking of ssp_isv.exe_rsaenh.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ssp_isv.exe_rsaenh.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ssp_isv.exe_rsaenh.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of sspicli.dll id: 7913461b-9395-48a3-4833-5b9ff8803930 status: experimental description: Detects possible DLL hijacking of sspicli.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sspicli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\sspicli.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ssshim.dll id: 6777391b-5805-48a3-6769-5b9ff8479266 status: experimental description: Detects possible DLL hijacking of ssshim.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ssshim.html author: "Wietze Beukema" date: 2021-02-28 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ssshim.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of staterepository.core.dll id: 7769311b-9395-48a3-4833-5b9ff8374855 status: experimental description: Detects possible DLL hijacking of staterepository.core.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/staterepository.core.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\staterepository.core.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of structuredquery.dll id: 8569671b-2897-48a3-6541-5b9ff8536157 status: experimental description: Detects possible DLL hijacking of structuredquery.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/structuredquery.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\structuredquery.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of sxshared.dll id: 7270661b-9395-48a3-4833-5b9ff8792659 status: experimental description: Detects possible DLL hijacking of sxshared.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/sxshared.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\sxshared.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of systemsettingsthresholdadminflowui.dll id: 7999811b-9395-48a3-4833-5b9ff8929845 status: experimental description: Detects possible DLL hijacking of systemsettingsthresholdadminflowui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/systemsettingsthresholdadminflowui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\systemsettingsthresholdadminflowui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of tapi32.dll id: 7408931b-9395-48a3-4833-5b9ff8197469 status: experimental description: Detects possible DLL hijacking of tapi32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tapi32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\tapi32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of tbs.dll id: 7534321b-9395-48a3-4833-5b9ff8101505 status: experimental description: Detects possible DLL hijacking of tbs.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tbs.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\tbs.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of tdh.dll id: 5605771b-9395-48a3-4833-5b9ff8826766 status: experimental description: Detects possible DLL hijacking of tdh.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tdh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\tdh.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of textshaping.dll id: 3832041b-2811-48a3-1599-5b9ff8887640 status: experimental description: Detects possible DLL hijacking of textshaping.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/textshaping.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\textshaping.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of timesync.dll id: 2549441b-9395-48a3-4833-5b9ff8401541 status: experimental description: Detects possible DLL hijacking of timesync.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/timesync.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\timesync.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of tpmcoreprovisioning.dll id: 3136371b-7437-48a3-2115-5b9ff8720960 status: experimental description: Detects possible DLL hijacking of tpmcoreprovisioning.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tpmcoreprovisioning.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\tpmcoreprovisioning.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of tquery.dll id: 3854911b-9395-48a3-4833-5b9ff8191969 status: experimental description: Detects possible DLL hijacking of tquery.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tquery.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\tquery.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of tsworkspace.dll id: 1496791b-9395-48a3-4833-5b9ff8535767 status: experimental description: Detects possible DLL hijacking of tsworkspace.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/tsworkspace.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\tsworkspace.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of ttdrecord.dll id: 2046361b-9395-48a3-4833-5b9ff8257356 status: experimental description: Detects possible DLL hijacking of ttdrecord.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/ttdrecord.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\ttdrecord.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of twext.dll id: 4520371b-2897-48a3-6541-5b9ff8152644 status: experimental description: Detects possible DLL hijacking of twext.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/twext.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\twext.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of twinapi.dll id: 7311061b-2897-48a3-6541-5b9ff8416435 status: experimental description: Detects possible DLL hijacking of twinapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/twinapi.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\twinapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of twinui.appcore.dll id: 5172901b-2897-48a3-6541-5b9ff8190795 status: experimental description: Detects possible DLL hijacking of twinui.appcore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/twinui.appcore.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\twinui.appcore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of uianimation.dll id: 5746351b-2897-48a3-6541-5b9ff8719444 status: experimental description: Detects possible DLL hijacking of uianimation.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uianimation.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\uianimation.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of uiautomationcore.dll id: 7937291b-9395-48a3-4833-5b9ff8692240 status: experimental description: Detects possible DLL hijacking of uiautomationcore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uiautomationcore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\uiautomationcore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of uireng.dll id: 3807691b-9395-48a3-4833-5b9ff8828729 status: experimental description: Detects possible DLL hijacking of uireng.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uireng.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\uireng.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of uiribbon.dll id: 8242811b-2897-48a3-6541-5b9ff8344710 status: experimental description: Detects possible DLL hijacking of uiribbon.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uiribbon.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\uiribbon.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of umpdc.dll id: 2716601b-2028-48a3-1241-5b9ff8227092 status: experimental description: Detects possible DLL hijacking of umpdc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/umpdc.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\umpdc.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of unattend.dll id: 2167991b-7437-48a3-2115-5b9ff8535954 status: experimental description: Detects possible DLL hijacking of unattend.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/unattend.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\unattend.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of updatepolicy.dll id: 4486711b-9395-48a3-4833-5b9ff8668728 status: experimental description: Detects possible DLL hijacking of updatepolicy.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/updatepolicy.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\updatepolicy.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of upshared.dll id: 7075411b-9395-48a3-4833-5b9ff8955080 status: experimental description: Detects possible DLL hijacking of upshared.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/upshared.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\upshared.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of urlmon.dll id: 6609801b-2028-48a3-1241-5b9ff8468929 status: experimental description: Detects possible DLL hijacking of urlmon.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/urlmon.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\urlmon.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of userenv.dll id: 7304501b-9395-48a3-4833-5b9ff8185375 status: experimental description: Detects possible DLL hijacking of userenv.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/userenv.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\userenv.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of utildll.dll id: 3349101b-9395-48a3-4833-5b9ff8182946 status: experimental description: Detects possible DLL hijacking of utildll.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/utildll.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\utildll.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of uxinit.dll id: 2732531b-9395-48a3-4833-5b9ff8514787 status: experimental description: Detects possible DLL hijacking of uxinit.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uxinit.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\uxinit.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of uxtheme.dll id: 9735281b-9395-48a3-4833-5b9ff8605722 status: experimental description: Detects possible DLL hijacking of uxtheme.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/uxtheme.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\uxtheme.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of vaultcli.dll id: 9577411b-9395-48a3-4833-5b9ff8786692 status: experimental description: Detects possible DLL hijacking of vaultcli.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/vaultcli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\vaultcli.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of vdsutil.dll id: 6376581b-7437-48a3-2115-5b9ff8267815 status: experimental description: Detects possible DLL hijacking of vdsutil.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/vdsutil.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\vdsutil.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of version.dll id: 5631171b-2028-48a3-1241-5b9ff8902544 status: experimental description: Detects possible DLL hijacking of version.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/version.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\version.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of virtdisk.dll id: 2085831b-9395-48a3-4833-5b9ff8439462 status: experimental description: Detects possible DLL hijacking of virtdisk.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/virtdisk.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\virtdisk.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of vssapi.dll id: 8504661b-9395-48a3-4833-5b9ff8936947 status: experimental description: Detects possible DLL hijacking of vssapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/vssapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\vssapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of vsstrace.dll id: 2030141b-9395-48a3-4833-5b9ff8318649 status: experimental description: Detects possible DLL hijacking of vsstrace.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/vsstrace.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\vsstrace.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wbemprox.dll id: 5104701b-2897-48a3-6541-5b9ff8233233 status: experimental description: Detects possible DLL hijacking of wbemprox.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wbemprox.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wbemprox.dll' filter: ImageLoaded: - 'c:\windows\system32\wbem\*' - 'c:\windows\syswow64\wbem\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wbemsvc.dll id: 6612901b-2897-48a3-6541-5b9ff8659258 status: experimental description: Detects possible DLL hijacking of wbemsvc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wbemsvc.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wbemsvc.dll' filter: ImageLoaded: - 'c:\windows\system32\wbem\*' - 'c:\windows\syswow64\wbem\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wcmapi.dll id: 6058971b-9395-48a3-4833-5b9ff8908639 status: experimental description: Detects possible DLL hijacking of wcmapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wcmapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wcmapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wcnnetsh.dll id: 4601441b-9395-48a3-4833-5b9ff8457683 status: experimental description: Detects possible DLL hijacking of wcnnetsh.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wcnnetsh.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wcnnetsh.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wdi.dll id: 5329261b-9395-48a3-4833-5b9ff8245333 status: experimental description: Detects possible DLL hijacking of wdi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wdi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wdi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wdscore.dll id: 1535941b-9395-48a3-4833-5b9ff8417233 status: experimental description: Detects possible DLL hijacking of wdscore.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wdscore.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wdscore.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of webservices.dll id: 2704591b-9395-48a3-4833-5b9ff8365128 status: experimental description: Detects possible DLL hijacking of webservices.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/webservices.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\webservices.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wecapi.dll id: 3483041b-9395-48a3-4833-5b9ff8919715 status: experimental description: Detects possible DLL hijacking of wecapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wecapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wecapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wer.dll id: 6667191b-9395-48a3-4833-5b9ff8831964 status: experimental description: Detects possible DLL hijacking of wer.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wer.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wer.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wevtapi.dll id: 1325681b-9395-48a3-4833-5b9ff8877743 status: experimental description: Detects possible DLL hijacking of wevtapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wevtapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wevtapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of whhelper.dll id: 9852421b-9395-48a3-4833-5b9ff8858874 status: experimental description: Detects possible DLL hijacking of whhelper.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/whhelper.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\whhelper.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wimgapi.dll id: 1854941b-9395-48a3-4833-5b9ff8418066 status: experimental description: Detects possible DLL hijacking of wimgapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wimgapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.001 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wimgapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' - 'c:\program files\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\arm64\DISM\*' - 'c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\arm64\DISM\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winbio.dll id: 1716731b-7437-48a3-2115-5b9ff8633519 status: experimental description: Detects possible DLL hijacking of winbio.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winbio.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winbio.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winbrand.dll id: 7484511b-9395-48a3-4833-5b9ff8104958 status: experimental description: Detects possible DLL hijacking of winbrand.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winbrand.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winbrand.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of windows.storage.dll id: 9111951b-2897-48a3-6541-5b9ff8134848 status: experimental description: Detects possible DLL hijacking of windows.storage.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windows.storage.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\windows.storage.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of windows.storage.search.dll id: 4803241b-2897-48a3-6541-5b9ff8200174 status: experimental description: Detects possible DLL hijacking of windows.storage.search.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windows.storage.search.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\windows.storage.search.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of windows.ui.immersive.dll id: 1638671b-2028-48a3-1241-5b9ff8322645 status: experimental description: Detects possible DLL hijacking of windows.ui.immersive.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windows.ui.immersive.html author: "Chris Spehn" date: 2021-08-16 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\windows.ui.immersive.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of windowscodecs.dll id: 7923331b-9395-48a3-4833-5b9ff8176806 status: experimental description: Detects possible DLL hijacking of windowscodecs.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windowscodecs.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\windowscodecs.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of windowscodecsext.dll id: 5485021b-2897-48a3-6541-5b9ff8612059 status: experimental description: Detects possible DLL hijacking of windowscodecsext.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windowscodecsext.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\windowscodecsext.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of windowsperformancerecordercontrol.dll id: 1224551b-9395-48a3-4833-5b9ff8366003 status: experimental description: Detects possible DLL hijacking of windowsperformancerecordercontrol.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windowsperformancerecordercontrol.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\windowsperformancerecordercontrol.dll' filter: ImageLoaded: - 'c:\program files\windows kits\10\windows performance toolkit\*' - 'c:\program files (x86)\windows kits\10\windows performance toolkit\*' - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of windowsudk.shellcommon.dll id: 5019781b-2897-48a3-6541-5b9ff8831881 status: experimental description: Detects possible DLL hijacking of windowsudk.shellcommon.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/windowsudk.shellcommon.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\windowsudk.shellcommon.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winhttp.dll id: 3239901b-9395-48a3-4833-5b9ff8189432 status: experimental description: Detects possible DLL hijacking of winhttp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winhttp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winhttp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wininet.dll id: 5133201b-9395-48a3-4833-5b9ff8546758 status: experimental description: Detects possible DLL hijacking of wininet.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wininet.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wininet.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winipsec.dll id: 8435321b-9395-48a3-4833-5b9ff8591945 status: experimental description: Detects possible DLL hijacking of winipsec.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winipsec.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winipsec.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winmde.dll id: 9555561b-9395-48a3-4833-5b9ff8958594 status: experimental description: Detects possible DLL hijacking of winmde.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winmde.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winmde.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winmm.dll id: 6001231b-9395-48a3-4833-5b9ff8661849 status: experimental description: Detects possible DLL hijacking of winmm.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winmm.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winmm.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winnsi.dll id: 3518231b-9395-48a3-4833-5b9ff8680757 status: experimental description: Detects possible DLL hijacking of winnsi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winnsi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winnsi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winrnr.dll id: 3147261b-2897-48a3-6541-5b9ff8162235 status: experimental description: Detects possible DLL hijacking of winrnr.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winrnr.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winrnr.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winscard.dll id: 4651821b-7437-48a3-2115-5b9ff8962377 status: experimental description: Detects possible DLL hijacking of winscard.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winscard.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winscard.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winsqlite3.dll id: 2504881b-9395-48a3-4833-5b9ff8837374 status: experimental description: Detects possible DLL hijacking of winsqlite3.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winsqlite3.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winsqlite3.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winsta.dll id: 4474351b-9395-48a3-4833-5b9ff8756495 status: experimental description: Detects possible DLL hijacking of winsta.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winsta.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winsta.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of winsync.dll id: 9097691b-7437-48a3-2115-5b9ff8759570 status: experimental description: Detects possible DLL hijacking of winsync.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/winsync.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\winsync.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wkscli.dll id: 2376871b-9395-48a3-4833-5b9ff8271846 status: experimental description: Detects possible DLL hijacking of wkscli.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wkscli.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wkscli.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wlanapi.dll id: 9728591b-9395-48a3-4833-5b9ff8620460 status: experimental description: Detects possible DLL hijacking of wlanapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wlanapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wlanapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wlancfg.dll id: 5680621b-9395-48a3-4833-5b9ff8948419 status: experimental description: Detects possible DLL hijacking of wlancfg.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wlancfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wlancfg.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wlbsctrl.dll id: 7274671b-4908-48a3-8140-5b9ff8212003 status: experimental description: Detects possible DLL hijacking of wlbsctrl.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wlbsctrl.html author: "Wietze Beukema" date: 2022-06-12 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wlbsctrl.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wldp.dll id: 4724501b-9395-48a3-4833-5b9ff8872681 status: experimental description: Detects possible DLL hijacking of wldp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wldp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wldp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wlidprov.dll id: 8739311b-2897-48a3-6541-5b9ff8180920 status: experimental description: Detects possible DLL hijacking of wlidprov.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wlidprov.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wlidprov.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wmiclnt.dll id: 2830981b-9395-48a3-4833-5b9ff8308665 status: experimental description: Detects possible DLL hijacking of wmiclnt.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wmiclnt.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wmiclnt.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wmidcom.dll id: 6056741b-2897-48a3-6541-5b9ff8639527 status: experimental description: Detects possible DLL hijacking of wmidcom.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wmidcom.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wmidcom.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wmiutils.dll id: 9676101b-2897-48a3-6541-5b9ff8669284 status: experimental description: Detects possible DLL hijacking of wmiutils.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wmiutils.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wmiutils.dll' filter: ImageLoaded: - 'c:\windows\system32\wbem\*' - 'c:\windows\syswow64\wbem\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wmpdui.dll id: 9754191b-9395-48a3-4833-5b9ff8371687 status: experimental description: Detects possible DLL hijacking of wmpdui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wmpdui.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wmpdui.dll' filter: ImageLoaded: - 'c:\windows\system32\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wmsgapi.dll id: 5032211b-9395-48a3-4833-5b9ff8166548 status: experimental description: Detects possible DLL hijacking of wmsgapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wmsgapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wmsgapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wofutil.dll id: 5375031b-9395-48a3-4833-5b9ff8946295 status: experimental description: Detects possible DLL hijacking of wofutil.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wofutil.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wofutil.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wpdshext.dll id: 1033051b-2897-48a3-6541-5b9ff8574917 status: experimental description: Detects possible DLL hijacking of wpdshext.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wpdshext.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wpdshext.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wptsextensions.dll id: 5524021b-9122-48a3-7130-5b9ff8916642 status: experimental description: Detects possible DLL hijacking of wptsextensions.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wptsextensions.html author: "k4nfr3" date: 2022-08-15 tags: - attack.defense_evasion - attack.T1574.001 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wptsextensions.dll' condition: selection falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wscapi.dll id: 2593901b-7437-48a3-2115-5b9ff8485573 status: experimental description: Detects possible DLL hijacking of wscapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wscapi.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wscapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wsdapi.dll id: 8287071b-2811-48a3-1599-5b9ff8397965 status: experimental description: Detects possible DLL hijacking of wsdapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wsdapi.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wsdapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wshbth.dll id: 8610091b-2897-48a3-6541-5b9ff8545844 status: experimental description: Detects possible DLL hijacking of wshbth.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wshbth.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wshbth.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wshelper.dll id: 8129561b-9395-48a3-4833-5b9ff8430106 status: experimental description: Detects possible DLL hijacking of wshelper.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wshelper.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wshelper.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wsmsvc.dll id: 5007061b-7437-48a3-2115-5b9ff8554659 status: experimental description: Detects possible DLL hijacking of wsmsvc.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wsmsvc.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wsmsvc.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wtsapi32.dll id: 8940961b-9395-48a3-4833-5b9ff8441253 status: experimental description: Detects possible DLL hijacking of wtsapi32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wtsapi32.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wtsapi32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wwancfg.dll id: 6747661b-9395-48a3-4833-5b9ff8833613 status: experimental description: Detects possible DLL hijacking of wwancfg.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wwancfg.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wwancfg.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of wwapi.dll id: 2428691b-9395-48a3-4833-5b9ff8356790 status: experimental description: Detects possible DLL hijacking of wwapi.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/wwapi.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\wwapi.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of xmllite.dll id: 8669101b-9395-48a3-4833-5b9ff8628499 status: experimental description: Detects possible DLL hijacking of xmllite.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/xmllite.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574 - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\xmllite.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of xolehlp.dll id: 2478961b-9395-48a3-4833-5b9ff8785507 status: experimental description: Detects possible DLL hijacking of xolehlp.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/xolehlp.html author: "Wietze Beukema" date: 2021-02-27 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\xolehlp.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of xpsservices.dll id: 1592401b-7437-48a3-2115-5b9ff8869195 status: experimental description: Detects possible DLL hijacking of xpsservices.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/xpsservices.html author: "Chris Spehn" date: 2021-08-17 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\xpsservices.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of xwizards.dll id: 6794171b-2897-48a3-6541-5b9ff8973235 status: experimental description: Detects possible DLL hijacking of xwizards.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/xwizards.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\xwizards.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of xwtpw32.dll id: 6163311b-2897-48a3-6541-5b9ff8912890 status: experimental description: Detects possible DLL hijacking of xwtpw32.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/built-in/xwtpw32.html author: "Wietze Beukema" date: 2022-05-21 tags: - attack.defense_evasion - attack.T1574 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\xwtpw32.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of atltracetoolui.dll id: 8132641b-4150-48a3-8413-5b9ff8149350 status: experimental description: Detects possible DLL hijacking of atltracetoolui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/atltracetoolui.html author: "Wietze Beukema" date: 2023-04-04 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\atltracetoolui.dll' filter: ImageLoaded: - 'c:\program files\Microsoft Visual Studio 11.0\Common7\Tools\*' - 'c:\program files (x86)\Microsoft Visual Studio 11.0\Common7\Tools\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of dbgeng.dll id: 9774421b-9223-48a3-6181-5b9ff8657582 status: experimental description: Detects possible DLL hijacking of dbgeng.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/dbgeng.html author: "Wietze Beukema" date: 2023-03-01 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\dbgeng.dll' filter: ImageLoaded: - 'c:\program files\Windows Kits\*\Debuggers\x86\*' - 'c:\program files (x86)\Windows Kits\*\Debuggers\x86\*' - 'c:\program files\Windows Kits\*\Debuggers\x64\*' - 'c:\program files (x86)\Windows Kits\*\Debuggers\x64\*' - 'c:\program files\Windows Kits\*\Debuggers\arm\*' - 'c:\program files (x86)\Windows Kits\*\Debuggers\arm\*' - 'c:\program files\Windows Kits\*\Debuggers\arm64\*' - 'c:\program files (x86)\Windows Kits\*\Debuggers\arm64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of formdll.dll id: 2943741b-3819-48a3-7381-5b9ff8215555 status: experimental description: Detects possible DLL hijacking of formdll.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/formdll.html author: "Wietze Beukema" date: 2023-09-04 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\formdll.dll' filter: ImageLoaded: - 'c:\program files\Common Files\Microsoft Shared\NoteSync Forms\*' - 'c:\program files (x86)\Common Files\Microsoft Shared\NoteSync Forms\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of gflagsui.dll id: 1356931b-2811-48a3-1599-5b9ff8833446 status: experimental description: Detects possible DLL hijacking of gflagsui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/gflagsui.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\gflagsui.dll' filter: ImageLoaded: - 'c:\program files\Windows Kits\10\Debuggers\*\*' - 'c:\program files (x86)\Windows Kits\10\Debuggers\*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of hha.dll id: 6370911b-6722-48a3-2305-5b9ff8430460 status: experimental description: Detects possible DLL hijacking of hha.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/hha.html author: "Wietze Beukema" date: 2021-12-08 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\hha.dll' filter: ImageLoaded: - 'c:\windows\system32\*' - 'c:\windows\syswow64\*' - 'c:\program files\HTML Help Workshop\*' - 'c:\program files (x86)\HTML Help Workshop\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of iviewers.dll id: 1295571b-6727-48a3-6557-5b9ff8430907 status: experimental description: Detects possible DLL hijacking of iviewers.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/iviewers.html author: "Wietze Beukema" date: 2022-06-14 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\iviewers.dll' filter: ImageLoaded: - 'c:\program files\Windows Kits\10\bin\*\x86\*' - 'c:\program files (x86)\Windows Kits\10\bin\*\x86\*' - 'c:\program files\Windows Kits\10\bin\*\x64\*' - 'c:\program files (x86)\Windows Kits\10\bin\*\x64\*' - 'c:\program files\Windows Kits\10\bin\*\arm\*' - 'c:\program files (x86)\Windows Kits\10\bin\*\arm\*' - 'c:\program files\Windows Kits\10\bin\*\arm64\*' - 'c:\program files (x86)\Windows Kits\10\bin\*\arm64\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of outllib.dll id: 3802401b-1318-48a3-1317-5b9ff8856876 status: experimental description: Detects possible DLL hijacking of outllib.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/outllib.html author: "Wietze Beukema" date: 2022-06-13 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\outllib.dll' filter: ImageLoaded: - 'c:\program files\Microsoft Office\OFFICE*\*' - 'c:\program files (x86)\Microsoft Office\OFFICE*\*' - 'c:\program files\Microsoft Office\Root\OFFICE*\*' - 'c:\program files (x86)\Microsoft Office\Root\OFFICE*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of rcdll.dll id: 1324851b-2811-48a3-1599-5b9ff8815748 status: experimental description: Detects possible DLL hijacking of rcdll.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/rcdll.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\rcdll.dll' filter: ImageLoaded: - 'c:\program files\Windows Kits\10\bin\*\*\*' - 'c:\program files (x86)\Windows Kits\10\bin\*\*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of symsrv.dll id: 9816231b-2811-48a3-1599-5b9ff8945318 status: experimental description: Detects possible DLL hijacking of symsrv.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/symsrv.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\symsrv.dll' filter: ImageLoaded: - 'c:\program files\Windows Kits\10\Debuggers\*\*' - 'c:\program files (x86)\Windows Kits\10\Debuggers\*\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections. --- title: Possible DLL Hijacking of windowsperformancerecorderui.dll id: 1067751b-2811-48a3-1599-5b9ff8544858 status: experimental description: Detects possible DLL hijacking of windowsperformancerecorderui.dll by looking for suspicious image loads, loading this DLL from unexpected locations. references: - https://hijacklibs.net/entries/microsoft/external/windowsperformancerecorderui.html author: "Gary Lobermier" date: 2023-05-22 tags: - attack.defense_evasion - attack.T1574.002 logsource: product: windows category: image_load detection: selection: ImageLoaded: '*\windowsperformancerecorderui.dll' filter: ImageLoaded: - 'c:\program files\Windows Kits\10\Windows Performance Toolkit\*' - 'c:\program files (x86)\Windows Kits\10\Windows Performance Toolkit\*' condition: selection and not filter falsepositives: - False positives are likely. This rule is more suitable for hunting than for generating detections.