Sigma rule references as PDF

image_load_apt_cozy_bear_graphical_proton_dlls

Title : DLL Names Used By SVR For GraphicalProton Backdoor

Rule id : e64c8ef3-9f98-40c8-b71e-96110991cb4c

Url	Pdf
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a	pdf/fdb7d0ff551e0a230e54c9ef703be38a74c09f811057193bb2ab0ac21dee22cd.pdf

image_load_apt_diamond_sleet_side_load

Title : Diamond Sleet APT DLL Sideloading Indicators

Rule id : d1b65d98-37d7-4ff6-b139-2d87c1af3042

Url	Pdf
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/	pdf/a9e72b2851441ee8f752f82e60cdc3fdd923b1daffb9099cd1db1fda0d3bb908.pdf

image_load_apt_lazarus_side_load_activity

Title : Lazarus APT DLL Sideloading Activity

Rule id : 24007168-a26b-4049-90d0-ce138e13a5cf

Url	Pdf
https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/	pdf/7450a1d4baf348189921a4d4ace7e1997bba39744ed314c2bf7fb383a75b2dd5.pdf
https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/	pdf/14fa79aaa4bf4e3e15ed709bfef0d090632eed99d7c5e409e1dd3586041cdc69.pdf

image_load_cmstp_load_dll_from_susp_location

Title : DLL Loaded From Suspicious Location Via Cmspt.EXE

Rule id : 75e508f7-932d-4ebc-af77-269237a84ce1

Url	Pdf
https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml	pdf/b6271883df3fef2d6f16b6a204f2d3a54747d5e8e6193b81ae9a0ce014341716.pdf

image_load_dll_amsi_suspicious_process

Title : Amsi.DLL Loaded Via LOLBIN Process

Rule id : 6ec86d9e-912e-4726-91a2-209359b999b9

Url	Pdf
https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/	pdf/66f2ab6c9bc31a74087d677bbc3a0f0dd16b92f244d3e7c010cd9f1555c3f38e.pdf

image_load_dll_amsi_uncommon_process

Title : Amsi.DLL Load By Uncommon Process

Rule id : facd1549-e416-48e0-b8c4-41d7215eedc8

Url	Pdf
https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9	pdf/e9a087e39b4ee5fb42910d63b3bab65e99798a5780b7b762d50404c65a9ca5ad.pdf
https://github.com/TheD1rkMtr/AMSI_patch	pdf/a4b5086a5d396ea0793a1222635e382c1192e6161cb5654953ed9d55297d9e25.pdf
https://github.com/surya-dev-singh/AmsiBypass-OpenSession	pdf/d607bcb0aa4121d8d9ce0a7058fc4a2d2d75118b2a48de913e3e7e52112efcb3.pdf

image_load_dll_azure_microsoft_account_token_provider_dll_load

Title : Potential Azure Browser SSO Abuse

Rule id : 50f852e6-af22-4c78-9ede-42ef36aa3453

Url	Pdf
https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30	pdf/0a9a8e1fdaaf6a6b949bd568f6aeddda634d3ee49beb2340fbcc460193dfb239.pdf

image_load_dll_comsvcs_load_renamed_version_by_rundll32

Title : Suspicious Renamed Comsvcs DLL Loaded By Rundll32

Rule id : 8cde342c-ba48-4b74-b615-172c330f2e93

Url	Pdf
https://twitter.com/sbousseaden/status/1555200155351228419	pdf/039ef258fe01ee935eb95fb25342eaae63171983dc266aa2edd91cbe4807bb1c.pdf

image_load_dll_credui_uncommon_process_load

Title : CredUI.DLL Loaded By Uncommon Process

Rule id : 9ae01559-cf7e-4f8e-8e14-4c290a1b4784

Url	Pdf
https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html	pdf/a6fbc7bfb57d4b09076550c269261ef51e8a616142a21b04f3c4c88f5287fa0e.pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password	pdf/8e605163b6b87ea39899545eb068bc2947c5e1d1bb2cc547bba25d618668a8c7.pdf
https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa	pdf/ca7b6d5a15c19a566a291a734633b443bd7dfad4018e8dca77dd14333dd3ed8c.pdf
https://github.com/S12cybersecurity/RDPCredentialStealer	pdf/5d1e07ebd4a5904d05795c247e3fd88fa001bc09223a0a7b7438b8d8bea3a991.pdf

image_load_dll_dbghelp_dbgcore_susp_load

Title : Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process

Rule id : 0e277796-5f23-4e49-a490-483131d4f6e1

Url	Pdf
https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump	pdf/978a863e9d75acb257f25312c2d3624f71bc941cc4797f55366d1947f3842c43.pdf
https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html	pdf/38994d698966d2b1dad13299c63b02037c047a6e199fd95d0f9de7d2b03e851c.pdf
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6	pdf/93de143e25e0b475055918bbfb262243aae649767d5a3733041bc9d8f7d81fd5.pdf

image_load_dll_dbghelp_dbgcore_unsigned_load

Title : Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded

Rule id : bdc64095-d59a-42a2-8588-71fd9c9d9abc

Url	Pdf
https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump	pdf/dbc392f576e75cb4f4b6edd7a72062b00f2d25a599b43e92c3362a5ce346259f.pdf
https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html	pdf/38994d698966d2b1dad13299c63b02037c047a6e199fd95d0f9de7d2b03e851c.pdf
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6	pdf/93de143e25e0b475055918bbfb262243aae649767d5a3733041bc9d8f7d81fd5.pdf

image_load_dll_pcre_dotnet_dll_load

Title : PCRE.NET Package Image Load

Rule id : 84b0a8f3-680b-4096-a45b-e9a89221727c

Url	Pdf
https://twitter.com/rbmaslen/status/1321859647091970051	pdf/ed8d22078d6fa87c3ab623f49e6ccf952b141bff8921eb381860c9e8f6d97cfd.pdf
https://twitter.com/tifkin_/status/1321916444557365248	pdf/51e0f59d9b41cb1c8ba408bf002de35423f0c29fe702f85e0f60fb96be143885.pdf

image_load_dll_rstrtmgr_suspicious_load

Title : Load Of RstrtMgr.DLL By A Suspicious Process

Rule id : b48492dc-c5ef-4572-8dff-32bc241c15c8

Url	Pdf
https://www.crowdstrike.com/blog/windows-restart-manager-part-1/	pdf/87ff727c4d75673c561c9c325c1b5ebde1e9a69098de1da0bae040ee3058dd23.pdf
https://www.crowdstrike.com/blog/windows-restart-manager-part-2/	pdf/a0e9cb14679bb161cb622b2315050ff327a3dd8c8c6993775847c3dadeee4aeb.pdf
https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/	pdf/05fed0ba5640aa40f9492fef9a859bfca2e5417cb5396118277354d33bd86bf4.pdf
https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html	pdf/29778c7098dc9fda30077e4e50fc9674db5da5ed76fd43bc9d3f6bce621fba42.pdf

image_load_dll_rstrtmgr_uncommon_load

Title : Load Of RstrtMgr.DLL By An Uncommon Process

Rule id : 3669afd2-9891-4534-a626-e5cf03810a61

Url	Pdf
https://www.crowdstrike.com/blog/windows-restart-manager-part-1/	pdf/87ff727c4d75673c561c9c325c1b5ebde1e9a69098de1da0bae040ee3058dd23.pdf
https://www.crowdstrike.com/blog/windows-restart-manager-part-2/	pdf/a0e9cb14679bb161cb622b2315050ff327a3dd8c8c6993775847c3dadeee4aeb.pdf
https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/	pdf/05fed0ba5640aa40f9492fef9a859bfca2e5417cb5396118277354d33bd86bf4.pdf
https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html	pdf/29778c7098dc9fda30077e4e50fc9674db5da5ed76fd43bc9d3f6bce621fba42.pdf

image_load_dll_sdiageng_load_by_msdt

Title : Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE

Rule id : ec8c4047-fad9-416a-8c81-0f479353d7f6

Url	Pdf
https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/	pdf/2db00398d48e3bbd33f77c05dfb6333b0041432ce24c22d8bd344b56b7823394.pdf

image_load_dll_system_drawing_load

Title : System Drawing DLL Load

Rule id : 666ecfc7-229d-42b8-821e-1a8f8cb7057c

Url	Pdf
OTRF/detection-hackathon-apt29#16	pdf/058339aab2bc67b209d0ea2a1f4285c4e827b753c5e887b3a29ce9b4b7f7cae5.pdf
https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md	pdf/51ad6a42ceb7343bcf54715d9fe1e99a2653e926c9c86d2e0c7e7f40def35ec2.pdf

image_load_dll_system_management_automation_susp_load

Title : PowerShell Core DLL Loaded By Non PowerShell Process

Rule id : 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f

Url	Pdf
https://adsecurity.org/?p=2921	pdf/3e93d46f04e302cbe9c1f7ac34fa05abdf755de14f616d8a7b1405d9240db56f.pdf
https://github.com/p3nt4/PowerShdll	pdf/fc6e26639d5e5794b008017db29df1a1737ff3a4116288c185f92f6c9f28ad72.pdf

image_load_dll_taskschd_by_process_in_potentially_suspicious_location

Title : Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location

Rule id : 3b92a1d0-8d4b-4d28-a1b4-1e29d49a6a3e

Url	Pdf
https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/	pdf/fc1ca2598a0d264e9c5966c1e49e4762d6fb57a34b2235a91c005a196c2cb01c.pdf
https://x.com/Max_Mal_/status/1826179497084739829	pdf/92a6c65b867b45c056abd1d0d8e5c2d555372a8bdc674d7ecf781f6fb8c8fcfe.pdf

image_load_dll_tttracer_module_load

Title : Time Travel Debugging Utility Usage - Image

Rule id : e76c8240-d68f-4773-8880-5c6f63595aaf

Url	Pdf
https://lolbas-project.github.io/lolbas/Binaries/Tttracer/	pdf/16c6b915dc5c6956e596731c683847499e0b9b6e14867117050d87653298157b.pdf
https://twitter.com/mattifestation/status/1196390321783025666	pdf/7fe4f25166f8e568b0f4331a9da56df874b6ce0b83cb39c6721bf1c5ac095c55.pdf
https://twitter.com/oulusoyum/status/1191329746069655553	pdf/eecc68a30847f2b178e7d25d936825468a02cbc3ce08c404b98d3143ec7b53d5.pdf

image_load_dll_vss_ps_susp_load

Title : Suspicious Volume Shadow Copy VSS_PS.dll Load

Rule id : 333cdbe8-27bb-4246-bf82-b41a0dca4b70

Url	Pdf
https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add	pdf/2b14e3d57ca4126b5c29ea1404cf68c40961eac6ed7d8e8f60a0382d0efcd107.pdf
https://twitter.com/am0nsec/status/1412232114980982787	pdf/048beb5ed116ba8a6fd271ba58165e519eb40600fde73dbc22dbb6fa7cee6291.pdf

image_load_dll_vssapi_susp_load

Title : Suspicious Volume Shadow Copy Vssapi.dll Load

Rule id : 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8

Url	Pdf
https://github.com/ORCx41/DeleteShadowCopies	pdf/65a56532408657cc5c10f91d48bfe0718eaf4aace6ca638a1e3da425949de2da.pdf

image_load_dll_vsstrace_susp_load

Title : Suspicious Volume Shadow Copy Vsstrace.dll Load

Rule id : 48bfd177-7cf2-412b-ad77-baf923489e82

Url	Pdf
https://github.com/ORCx41/DeleteShadowCopies	pdf/65a56532408657cc5c10f91d48bfe0718eaf4aace6ca638a1e3da425949de2da.pdf

image_load_hktl_sharpevtmute

Title : HackTool - SharpEvtMute DLL Load

Rule id : 49329257-089d-46e6-af37-4afce4290685

Url	Pdf
https://github.com/bats3c/EvtMute	pdf/65df42c300f188e398def64f341a5765597707fcb83749e667f7d0a0f7d856f7.pdf

image_load_hktl_silenttrinity_stager

Title : HackTool - SILENTTRINITY Stager DLL Load

Rule id : 75c505b1-711d-4f68-a357-8c3fe37dbf2d

Url	Pdf
https://github.com/byt3bl33d3r/SILENTTRINITY	pdf/1f99df34d0b4bc7209b3ade108b7a4b7ea18a707f0b1cceddff7715f160ecb59.pdf

image_load_iexplore_dcom_iertutil_dll_hijack

Title : Potential DCOM InternetExplorer.Application DLL Hijack - Image Load

Rule id : f354eba5-623b-450f-b073-0b5b2773b6aa

Url	Pdf
https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html	pdf/ba965214af2505144a26f6c901814ff29d26160ee8671d7a6cfe913b06bcc0e8.pdf

image_load_lsass_unsigned_image_load

Title : Unsigned Image Loaded Into LSASS Process

Rule id : 857c8db3-c89b-42fb-882b-f681c7cf4da2

Url	Pdf
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment	pdf/52e26c81a11e8750dcb450054f7519ab7fa64b2a0e94d3c66075f12ea424e9d0.pdf

image_load_malware_3cx_compromise_susp_dll

Title : Malicious DLL Load By Compromised 3CXDesktopApp

Rule id : d0b65ad3-e945-435e-a7a9-438e62dd48e9

Url	Pdf
https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/	pdf/2e02166e72ac71f707f8e87583ea39b31031454c7f136a9e2854d7c460105481.pdf

image_load_malware_coldsteel_persistence_service_dll

Title : Potential COLDSTEEL Persistence Service DLL Load

Rule id : 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5

Url	Pdf

image_load_malware_csharp_streamer_dotnet_load

Title : Potential CSharp Streamer RAT Loading .NET Executable Image

Rule id : 6f6afac3-8e7a-4e4b-9588-2608ffe08f82

Url	Pdf
https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections	pdf/41230b65a57bcc1e9e47d7666227222ac61b9725ed04387a9580374586c9cbfc.pdf
https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/	pdf/0462c19c3f470788d370c7239420bfac8e0e1af285785428d1c2647391963a30.pdf

image_load_malware_foggyweb_nobelium

Title : FoggyWeb Backdoor DLL Loading

Rule id : 640dc51c-7713-4faa-8a0e-e7c0d9d4654c

Url	Pdf
https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/	pdf/2e02166e72ac71f707f8e87583ea39b31031454c7f136a9e2854d7c460105481.pdf

image_load_malware_kapeka_backdoor_wll

Title : Kapeka Backdoor Loaded Via Rundll32.EXE

Rule id : a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c

Url	Pdf
https://labs.withsecure.com/publications/kapeka	pdf/2458ac308057f4f668b76f392f6de2b7c136a9c42f8606c1c740168d49e7b5c0.pdf
https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/	pdf/842a02b6dbd0c3af7c423879e83f9275d685e92409985b2b9164a1124d481364.pdf

image_load_malware_pingback_backdoor

Title : Pingback Backdoor DLL Loading Activity

Rule id : 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b

Url	Pdf
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel	pdf/dc54498ffb77b49ac37ae246aeeb4abf193788b749a3bac8c86226d9ec2caaea.pdf
https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406	pdf/d96dcaa5261a0eb4fd5c4d7a5a6f7b594822308b332a2521bb6480f1b535487d.pdf

image_load_malware_raspberry_robin_side_load_aclui_oleview

Title : Potential Raspberry Robin Aclui Dll SideLoading

Rule id : 0f3a9db2-c17a-480e-a723-d1f1c547ab6a

Url	Pdf
https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/	pdf/b513a2fffa4fcbe7475fceabb8e6041dcb2a4320228ec5b9f5328753ba0e8c5c.pdf
https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/	pdf/ab1b75eebce8fc82bc088e1a742b06a73559c72a16182dae8335a9b0ce3e1e14.pdf
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/	pdf/aa411cb2863ace233ecaa6ecf4e2cb31607b3de39ba0f12c782c7afcd844484e.pdf
https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/	pdf/9f5da37b147ad37476ae1c2b71731b5f54978a60c770842e97c0d23a11bd2d65.pdf
https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html	pdf/50795f2333e59768c7b8f20e659c629ddb269b806c82dd7e7cc9e44bf7335d39.pdf

image_load_office_dotnet_assembly_dll_load

Title : DotNET Assembly DLL Loaded Via Office Application

Rule id : ff0f2b05-09db-4095-b96d-1b75ca24894a

Url	Pdf
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16	pdf/6ed3764048f99b1682fe836c77791f9871000daa59b8a7c748a4dd0bc18d6560.pdf

image_load_office_dotnet_clr_dll_load

Title : CLR DLL Loaded Via Office Applications

Rule id : d13c43f0-f66b-4279-8b2c-5912077c1780

Url	Pdf
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16	pdf/6ed3764048f99b1682fe836c77791f9871000daa59b8a7c748a4dd0bc18d6560.pdf

image_load_office_dotnet_gac_dll_load

Title : GAC DLL Loaded Via Office Applications

Rule id : 90217a70-13fc-48e4-b3db-0d836c5824ac

Url	Pdf
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16	pdf/6ed3764048f99b1682fe836c77791f9871000daa59b8a7c748a4dd0bc18d6560.pdf

image_load_office_dsparse_dll_load

Title : Active Directory Parsing DLL Loaded Via Office Application

Rule id : a2a3b925-7bb0-433b-b508-db9003263cc4

Url	Pdf
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16	pdf/6ed3764048f99b1682fe836c77791f9871000daa59b8a7c748a4dd0bc18d6560.pdf

image_load_office_excel_xll_load

Title : Microsoft Excel Add-In Loaded

Rule id : c5f4b5cb-4c25-4249-ba91-aa03626e3185

Url	Pdf
https://www.mandiant.com/resources/blog/lnk-between-browsers	pdf/542a8fb4745ce4cb6ded1a9ceb50ee93c7f540c1bfbe52570ebe6f57a908108d.pdf

image_load_office_excel_xll_susp_load

Title : Microsoft Excel Add-In Loaded From Uncommon Location

Rule id : af4c4609-5755-42fe-8075-4effb49f5d44

Url	Pdf
https://www.mandiant.com/resources/blog/lnk-between-browsers	pdf/542a8fb4745ce4cb6ded1a9ceb50ee93c7f540c1bfbe52570ebe6f57a908108d.pdf
https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/	pdf/4c0f621505f5e76cfeddbe16b5858d9dc460e077a62083fae5ee9966951c9dd8.pdf

image_load_office_kerberos_dll_load

Title : Active Directory Kerberos DLL Loaded Via Office Application

Rule id : 7417e29e-c2e7-4cf6-a2e8-767228c64837

Url	Pdf
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16	pdf/6ed3764048f99b1682fe836c77791f9871000daa59b8a7c748a4dd0bc18d6560.pdf

image_load_office_outlook_outlvba_load

Title : Microsoft VBA For Outlook Addin Loaded Via Outlook

Rule id : 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed

Url	Pdf
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58	pdf/3fc9046b19de4a375b938ab32f36fc1f08dd380dc397de0c54f0c990ad17a491.pdf

image_load_office_powershell_dll_load

Title : PowerShell Core DLL Loaded Via Office Application

Rule id : bb2ba6fb-95d4-4a25-89fc-30bb736c021a

Url	Pdf

image_load_office_vbadll_load

Title : VBA DLL Loaded Via Office Application

Rule id : e6ce8457-68b1-485b-9bdd-3c2b5d679aa9

Url	Pdf
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16	pdf/6ed3764048f99b1682fe836c77791f9871000daa59b8a7c748a4dd0bc18d6560.pdf

image_load_office_word_wll_load

Title : Microsoft Word Add-In Loaded

Rule id : 1337afba-d17d-4d23-bd55-29b927603b30

Url	Pdf
https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence	pdf/339e324db1b6ec791842be8e7c20492c5c1e3e185bab91c55568b53a63f712d5.pdf
https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file	pdf/8cddae29b4c1a71d8aead954d43d51f32c7d652dba97a23e3193f733cc73a8fe.pdf

image_load_rundll32_remote_share_load

Title : Remote DLL Load Via Rundll32.EXE

Rule id : f40017b3-cb2e-4335-ab5d-3babf679c1de

Url	Pdf
https://github.com/gabe-k/themebleed	pdf/6b4d0c83b1d12319e430b67504fb9dbcb12e6a6dcf79faec198b8960348b10b5.pdf

image_load_scrcons_wmi_scripteventconsumer

Title : WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load

Rule id : b439f47d-ef52-4b29-9a2f-57d8a96cb6b8

Url	Pdf
https://twitter.com/HunterPlaybook/status/1301207718355759107	pdf/e0c53a0eafe87d39e7697c492c0dd5b0c7bfde24ba7b777f60c1d1e88853d1d6.pdf
https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/	pdf/08aa8d6e3fb4d14608165f4983f2811668684f9edd2cf4582b373c0ae2341e70.pdf
https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html	pdf/ea5acd060b850390498c17b4f4d29a0dc175941a03aed6f3c5d4fa6419cd236b.pdf

image_load_side_load_7za

Title : Potential 7za.DLL Sideloading

Rule id : 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57

Url	Pdf
https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d	pdf/77dced15b20169c33aa718a4d8cef63b667aa3c7a381cdea9b33438c59f77fd9.pdf

image_load_side_load_abused_dlls_susp_paths

Title : Abusable DLL Potential Sideloading From Suspicious Location

Rule id : 799a5f48-0ac1-4e0f-9152-71d137d48c2a

Url	Pdf
https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html	pdf/fda1a05909c00f5a7acde2d7a4efdb336956c1e8cdc6de16ad3b449230406cf8.pdf
https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/	pdf/b876c49c8de9f1b48434582ecd35d217f1e569d05b1ec4fe5d1934e74c44f65e.pdf

image_load_side_load_antivirus

Title : Potential Antivirus Software DLL Sideloading

Rule id : 552b6b65-df37-4d3e-a258-f2fc4771ae54

Url	Pdf
https://hijacklibs.net/	pdf/59e92a6cdff98649d8a6839064d8400dd8c6a2c14b889fc3750bc169ee3bc8e9.pdf

image_load_side_load_appverifui

Title : Potential appverifUI.DLL Sideloading

Rule id : ee6cea48-c5b6-4304-a332-10fc6446f484

Url	Pdf
https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/	pdf/fb503fbd686e4427800c7ebf770931cec77224935fab738e0417065c228797eb.pdf

image_load_side_load_aruba_networks_virtual_intranet_access

Title : Aruba Network Service Potential DLL Sideloading

Rule id : 90ae0469-0cee-4509-b67f-e5efcef040f7

Url	Pdf
https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09	pdf/3fe2dfa063036792d247c1d0f93a8794c7aaa57574adb19ff47cb34df038645b.pdf

image_load_side_load_avkkid

Title : Potential AVKkid.DLL Sideloading

Rule id : 952ed57c-8f99-453d-aee0-53a49c22f95d

Url	Pdf
https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/	pdf/b876c49c8de9f1b48434582ecd35d217f1e569d05b1ec4fe5d1934e74c44f65e.pdf

image_load_side_load_ccleaner_du

Title : Potential CCleanerDU.DLL Sideloading

Rule id : 1fbc0671-5596-4e17-8682-f020a0b995dc

Url	Pdf
https://lab52.io/blog/2344-2/	pdf/4fed3d479c38e255380f08b6d50cbca51b321f8671a9ca94c93c48174c78c514.pdf

image_load_side_load_ccleaner_reactivator

Title : Potential CCleanerReactivator.DLL Sideloading

Rule id : 3735d5ac-d770-4da0-99ff-156b180bc600

Url	Pdf
https://lab52.io/blog/2344-2/	pdf/4fed3d479c38e255380f08b6d50cbca51b321f8671a9ca94c93c48174c78c514.pdf

image_load_side_load_chrome_frame_helper

Title : Potential Chrome Frame Helper DLL Sideloading

Rule id : 72ca7c75-bf85-45cd-aca7-255d360e423c

Url	Pdf
https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html	pdf/a2741e3b9483b2f9b20732a163d1ad73272effd2247cb6ca4e18b2522f58e22e.pdf

image_load_side_load_classicexplorer32

Title : Potential DLL Sideloading Via ClassicExplorer32.dll

Rule id : caa02837-f659-466f-bca6-48bde2826ab4

Url	Pdf
https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets	pdf/79a05507beb86fb1640fc0afcd0e75b40216da35b6e44a71024319df8854d1f1.pdf
https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/	pdf/b8292746bf6b72ff8575145506c2a7973472c228350323968890ec672fa36c2b.pdf

image_load_side_load_comctl32

Title : Potential DLL Sideloading Via comctl32.dll

Rule id : 6360757a-d460-456c-8b13-74cf0e60cceb

Url	Pdf
https://github.com/binderlabs/DirCreate2System	pdf/557f25bd685071f7b5d74c8a5bb20857ce82489185d39ee2fc5ccb4685c20f2c.pdf
https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt	pdf/e89db25d174bd3a7f304a2cefe7b9977be1cc54cd3b7b7aee3e5469abd52b27c.pdf

image_load_side_load_coregen

Title : Potential DLL Sideloading Using Coregen.exe

Rule id : 0fa66f66-e3f6-4a9c-93f8-4f2610b00171

Url	Pdf
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/	pdf/4ea081d55125f368897612bd7395845d41997393c8930f4989f63441580effbf.pdf

image_load_side_load_cpl_from_non_system_location

Title : System Control Panel Item Loaded From Uncommon Location

Rule id : 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde

Url	Pdf
https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/	pdf/7b4e751ad730d7808f5c97c28350d8822ecfca1c83a6c7c1acbbcecca5fb0fa5.pdf
https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/	pdf/1206e94b540faa2896f12098eccdf9f9823362651c5c6da1fa48ec9bfb228699.pdf

image_load_side_load_dbgcore

Title : Potential DLL Sideloading Of DBGCORE.DLL

Rule id : 9ca2bf31-0570-44d8-a543-534c47c33ed7

Url	Pdf
https://hijacklibs.net/	pdf/59e92a6cdff98649d8a6839064d8400dd8c6a2c14b889fc3750bc169ee3bc8e9.pdf

image_load_side_load_dbghelp

Title : Potential DLL Sideloading Of DBGHELP.DLL

Rule id : 6414b5cd-b19d-447e-bb5e-9f03940b5784

Url	Pdf
https://hijacklibs.net/	pdf/59e92a6cdff98649d8a6839064d8400dd8c6a2c14b889fc3750bc169ee3bc8e9.pdf

image_load_side_load_dbgmodel

Title : Potential DLL Sideloading Of DbgModel.DLL

Rule id : fef394cd-f44d-4040-9b18-95d92fe278c0

Url	Pdf
https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html	pdf/bbbc571a9fc725d0d331628d9c41816020d5c42012c23d43bc5039bb86f82d40.pdf

image_load_side_load_eacore

Title : Potential EACore.DLL Sideloading

Rule id : edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5

Url	Pdf
https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/	pdf/b876c49c8de9f1b48434582ecd35d217f1e569d05b1ec4fe5d1934e74c44f65e.pdf

image_load_side_load_edputil

Title : Potential Edputil.DLL Sideloading

Rule id : e4903324-1a10-4ed3-981b-f6fe3be3a2c2

Url	Pdf
https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/	pdf/3bcb2aa547d13737ece0620b5474e36d684361ccc0c8f439ce696eb29b25f162.pdf

image_load_side_load_from_non_system_location

Title : Potential System DLL Sideloading From Non System Locations

Rule id : 4fc0deee-0057-4998-ab31-d24e46e0aba4

Url	Pdf
https://hijacklibs.net/	pdf/59e92a6cdff98649d8a6839064d8400dd8c6a2c14b889fc3750bc169ee3bc8e9.pdf
https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/	pdf/c8bf2e96ed98c944fac7641844fc373d1c600ca70d92e15f787843fa8b51803a.pdf
https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/	pdf/735597318502c4a2b6debe84fb5a9b2e7241da1ae1a97309964cdc5369557f64.pdf
https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md	pdf/d2755757f2abda53048850d87798429654e5a9f30cab5b62344c6e82624332f9.pdf
https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/	pdf/fc04ff9ed1fba3261e367dee694b02184547782a67bea833290f1c9192dd211c.pdf

image_load_side_load_goopdate

Title : Potential Goopdate.DLL Sideloading

Rule id : b6188d2f-b3c4-4d2c-a17d-9706e0851af0

Url	Pdf

image_load_side_load_gup_libcurl

Title : Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE

Rule id : e49b5745-1064-4ac1-9a2e-f687bc2dd37e

Url	Pdf
https://labs.withsecure.com/publications/fin7-target-veeam-servers	pdf/bcf09078cb6247a3ea928d485651fa6eb873bd5ff379fe4aa907c61f6f3096aa.pdf

image_load_side_load_iviewers

Title : Potential Iviewers.DLL Sideloading

Rule id : 4c21b805-4dd7-469f-b47d-7383a8fcb437

Url	Pdf
https://www.secureworks.com/research/shadowpad-malware-analysis	pdf/3449cf28b1d05971d6ca3dfd88478913d4508a445fb17fed346ac4c7c20cc1f2.pdf

image_load_side_load_jsschhlp

Title : Potential DLL Sideloading Via JsSchHlp

Rule id : 68654bf0-4412-43d5-bfe8-5eaa393cd939

Url	Pdf
https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/	pdf/ecef0504771511cb0ae31e2813742961c059b3224b39793104ebc627068e35d4.pdf
http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp	pdf/9156bb469da3f9b03fe940d25d88b202e68137f5ed7121ddb37ffa5ce59bb383.pdf

image_load_side_load_keyscrambler

Title : Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE

Rule id : d2451be2-b582-4e15-8701-4196ac180260

Url	Pdf
https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html	pdf/283dce07d0cab28747ec038197beee2a73793017c2fe0ed61f2fee534af13218.pdf
https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/	pdf/0e56c10fe00b3b8d3aa5824707eef342356a5147974d5d3bf93c392949f13638.pdf
https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/	pdf/571f0d636553a0c356c1282b57f88a17329affcbde29eae7e68900f6b14e4449.pdf
https://twitter.com/Max_Mal_/status/1775222576639291859	pdf/f9504214c8f05a3d469ae18d451ff612c94945d2dce41251b08f4bb8a20a2484.pdf
https://twitter.com/DTCERT/status/1712785426895839339	pdf/ded4e694504a02028bc882ef8f19c8ad61c7fd2643c3877e118246ab6e4fada8.pdf

image_load_side_load_libvlc

Title : Potential Libvlc.DLL Sideloading

Rule id : bf9808c4-d24f-44a2-8398-b65227d406b6

Url	Pdf
https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html	pdf/1aa7a653473904ab467184c5151e0da7b8aa404f71aacefe4844c51a392c18a3.pdf
https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html	pdf/47a5a23a03a59422affd94119fb0819e71d793c743071688642da6683abfbcea.pdf

image_load_side_load_mfdetours

Title : Potential Mfdetours.DLL Sideloading

Rule id : d2605a99-2218-4894-8fd3-2afb7946514d

Url	Pdf

image_load_side_load_mfdetours_unsigned

Title : Unsigned Mfdetours.DLL Sideloading

Rule id : 948a0953-f287-4806-bbcb-3b2e396df89f

Url	Pdf

image_load_side_load_mpsvc

Title : Potential DLL Sideloading Of MpSvc.DLL

Rule id : 5ba243e5-8165-4cf7-8c69-e1d3669654c1

Url	Pdf
https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html	pdf/aea4186e444c63358e595484196b30efcf4bc5d2b61822d7fdb64952100e258c.pdf

image_load_side_load_mscorsvc

Title : Potential DLL Sideloading Of MsCorSvc.DLL

Rule id : cdb15e19-c2d0-432a-928e-e49c8c60dcf2

Url	Pdf
https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html	pdf/c4700d776937fe99a01d1c35debb0fee2bc17f3c7f8ef7173b9f92e7be7d510d.pdf

image_load_side_load_non_existent_dlls

Title : Potential DLL Sideloading Of Non-Existent DLLs From System Folders

Rule id : 6b98b92b-4f00-4f62-b4fe-4d1920215771

Url	Pdf
https://decoded.avast.io/martinchlumecky/png-steganography/	pdf/0eca9b786ba1979b075adeb7f9557e8b91da314dc9e07fe4ecc249906e2a4ab4.pdf
https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992	pdf/028aed9f1b76d9c255d6bdb5eb04047582a2929cae3a1b907c0ddb81f24214e6.pdf
https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/	pdf/86db2068d2c1ba0a473ed64434b06e96b0169d1abd9c58dacb50172b6d09b83b.pdf
https://github.com/Wh04m1001/SysmonEoP	pdf/9b62ea7dfb5f2da61e756244a0d4936db89fa1e3c35799a215d5898260d63f4a.pdf
https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/	pdf/fcbd01621f2009b8e49a4135d1cf8b61296fc74e4dae523083e64ca389cfc379.pdf
http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html	pdf/0e140088b37abf02453d66cb86f5c73ee4b36894777ed06fe70a66f7a78d7fe8.pdf

image_load_side_load_office_dlls

Title : Microsoft Office DLL Sideload

Rule id : 829a3bdf-34da-4051-9cf4-8ed221a8ae4f

Url	Pdf
https://hijacklibs.net/	pdf/59e92a6cdff98649d8a6839064d8400dd8c6a2c14b889fc3750bc169ee3bc8e9.pdf

image_load_side_load_python

Title : Potential Python DLL SideLoading

Rule id : d36f7c12-14a3-4d48-b6b8-774b9c66f44d

Url	Pdf
https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/	pdf/1ac9352e1bbf1661afd03932d24b08884a2d3dc7e5dce46e8c8fd1098f05e79c.pdf
https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/	pdf/fd4f35db6a3a0095898214fbfdbf37e933534b26b6057791375681569868dab8.pdf
https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python	pdf/a6a91c9755cd6f0599f110b3b587189dbf302f9315e595fc78d2f2b1f86ff6b1.pdf

image_load_side_load_rcdll

Title : Potential Rcdll.DLL Sideloading

Rule id : 6e78b74f-c762-4800-82ad-f66787f10c8a

Url	Pdf
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html	pdf/64517e96c7bf7802e1c7cbc95b7317f2e4c139fd71ef5fd6acb6e6617f471095.pdf

image_load_side_load_rjvplatform_default_location

Title : Potential RjvPlatform.DLL Sideloading From Default Location

Rule id : 259dda31-b7a3-444f-b7d8-17f96e8a7d0d

Url	Pdf
https://twitter.com/0gtweet/status/1666716511988330499	pdf/8a572b2e4607ab5100e90603ebafa6825e75b5311705578c70b1d54fcc8a5b45.pdf

image_load_side_load_rjvplatform_non_default_location

Title : Potential RjvPlatform.DLL Sideloading From Non-Default Location

Rule id : 0e0bc253-07ed-43f1-816d-e1b220fe8971

Url	Pdf
https://twitter.com/0gtweet/status/1666716511988330499	pdf/8a572b2e4607ab5100e90603ebafa6825e75b5311705578c70b1d54fcc8a5b45.pdf

image_load_side_load_robform

Title : Potential RoboForm.DLL Sideloading

Rule id : f64c9b2d-b0ad-481d-9d03-7fc75020892a

Url	Pdf
https://twitter.com/StopMalvertisin/status/1648604148848549888	pdf/e320c6015c3a65bc66f276093a33d849236cb8c412d7975db9edee1a37ef1f3a.pdf
https://twitter.com/t3ft3lb/status/1656194831830401024	pdf/29097fc10b4878d71ff25419ab605ebd418789360f00ba16c3057ca5641776da.pdf
https://www.roboform.com/	pdf/fafacd9b24577436f38c8df20d4cf2ce56e166dcd2da2af03de2480e37048146.pdf

image_load_side_load_shell_chrome_api

Title : DLL Sideloading Of ShellChromeAPI.DLL

Rule id : ee4c5d06-3abc-48cc-8885-77f1c20f4451

Url	Pdf
https://mobile.twitter.com/0gtweet/status/1564131230941122561	pdf/fa1cb26432ab8e8d4682638af9e9bc159a1c2fd2859a256fcfd4003d0531ee00.pdf
https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html	pdf/3779cb7bc3a54912aec541721a0dc0a1b8c7581d4b50e33895c5aadd96c7da2d.pdf

image_load_side_load_shelldispatch

Title : Potential ShellDispatch.DLL Sideloading

Rule id : 844f8eb2-610b-42c8-89a4-47596e089663

Url	Pdf
https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/	pdf/eeae91e280c886ec952e542b1babb54442423ab12a34176aa0a9b8710353d15e.pdf

image_load_side_load_smadhook

Title : Potential SmadHook.DLL Sideloading

Rule id : 24b6cf51-6122-469e-861a-22974e9c1e5b

Url	Pdf
https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/	pdf/5fc17bc508c6e2f74c70516d9fe99462dcaedd7e289633fb6f0b53bfeb6083e3.pdf
https://www.qurium.org/alerts/targeted-malware-against-crph/	pdf/73a5b0b0ae60c896968300cb891e7b3cc9089c2356684408578779d6dda495eb.pdf

image_load_side_load_solidpdfcreator

Title : Potential SolidPDFCreator.DLL Sideloading

Rule id : a2edbce1-95c8-4291-8676-0d45146862b3

Url	Pdf
https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/	pdf/4285ca82bd9a2329a0263d192c99b20add28e934beca8893df430d6a0c6e560e.pdf

image_load_side_load_third_party

Title : Third Party Software DLL Sideloading

Rule id : f9df325d-d7bc-4a32-8a1a-2cc61dcefc63

Url	Pdf
https://hijacklibs.net/	pdf/59e92a6cdff98649d8a6839064d8400dd8c6a2c14b889fc3750bc169ee3bc8e9.pdf

image_load_side_load_ualapi

Title : Fax Service DLL Search Order Hijack

Rule id : 828af599-4c53-4ed2-ba4a-a9f835c434ea

Url	Pdf
https://windows-internals.com/faxing-your-way-to-system/	pdf/1728f5e28e4b48318e40a4ae318e5136a4aaf003a0337b5eb2b0a7b37e4bcbc5.pdf

image_load_side_load_vivaldi_elf

Title : Potential Vivaldi_elf.DLL Sideloading

Rule id : 2092cacb-d77b-4f98-ab0d-32b32f99a054

Url	Pdf
https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/	pdf/b876c49c8de9f1b48434582ecd35d217f1e569d05b1ec4fe5d1934e74c44f65e.pdf

image_load_side_load_vmguestlib

Title : VMGuestLib DLL Sideload

Rule id : 70e8e9b4-6a93-4cb7-8cde-da69502e7aff

Url	Pdf
https://decoded.avast.io/martinchlumecky/png-steganography/	pdf/0eca9b786ba1979b075adeb7f9557e8b91da314dc9e07fe4ecc249906e2a4ab4.pdf

image_load_side_load_vmmap_dbghelp_signed

Title : VMMap Signed Dbghelp.DLL Potential Sideloading

Rule id : 98ffaed4-aec2-4e04-9b07-31492fe68b3d

Url	Pdf
https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766	pdf/239311bbc9939777c1f75507b3b44f7d2219128002addfb43b3d6186bdd63f4c.pdf

image_load_side_load_vmmap_dbghelp_unsigned

Title : VMMap Unsigned Dbghelp.DLL Potential Sideloading

Rule id : 273a8dd8-3742-4302-bcc7-7df5a80fe425

Url	Pdf
https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766	pdf/239311bbc9939777c1f75507b3b44f7d2219128002addfb43b3d6186bdd63f4c.pdf

image_load_side_load_vmware_xfer

Title : Potential DLL Sideloading Via VMware Xfer

Rule id : 9313dc13-d04c-46d8-af4a-a930cc55d93b

Url	Pdf
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/	pdf/a262549feae557281df9d76749ecd69e16fe7fddf44164b62242602373c72ea7.pdf

image_load_side_load_waveedit

Title : Potential Waveedit.DLL Sideloading

Rule id : 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb

Url	Pdf
https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html	pdf/fda1a05909c00f5a7acde2d7a4efdb336956c1e8cdc6de16ad3b449230406cf8.pdf

image_load_side_load_wazuh

Title : Potential Wazuh Security Platform DLL Sideloading

Rule id : db77ce78-7e28-4188-9337-cf30e2b3ba9f

Url	Pdf
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html	pdf/64517e96c7bf7802e1c7cbc95b7317f2e4c139fd71ef5fd6acb6e6617f471095.pdf

image_load_side_load_windows_defender

Title : Potential Mpclient.DLL Sideloading

Rule id : 418dc89a-9808-4b87-b1d7-e5ae0cb6effc

Url	Pdf
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool	pdf/430c6805fab5aa1d2c5f512b9323c16710461d942a7132cb1ad375acaf0df11c.pdf

image_load_side_load_wwlib

Title : Potential WWlib.DLL Sideloading

Rule id : e2e01011-5910-4267-9c3b-4149ed5479cf

Url	Pdf
https://twitter.com/WhichbufferArda/status/1658829954182774784	pdf/d582ad21a3a5548ac43d5504964251c9c3a487f9cee5e47dad797ce93fc48c9a.pdf
https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/	pdf/09b0242bfa0b03dbb5c631c5cb292e31bdf1c291dd025dbab8a407252a3c2061.pdf
https://securelist.com/apt-luminousmoth/103332/	pdf/653d7e7a21fa9c86a17f2e494aff9fbf4029df223dd83ef028830b39613e7937.pdf

image_load_spoolsv_dll_load

Title : Windows Spooler Service Suspicious Binary Load

Rule id : 02fb90de-c321-4e63-a6b9-25f4b03dfd14

Url	Pdf
https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/	pdf/838a643a0de1367882e6b2356215a35911a7ff98a2538a5ad6be475e77a69f46.pdf
https://github.com/ly4k/SpoolFool	pdf/9d8568c4cd64133563b6c859605901b6a957b3bd20ff8f5dcbe0b04c23a2491d.pdf

image_load_susp_clickonce_unsigned_module_loaded

Title : Unsigned Module Loaded by ClickOnce Application

Rule id : 060d5ad4-3153-47bb-8382-43e5e29eda92

Url	Pdf
https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5	pdf/86350fb5fe7d2b96ddbdf6b4e6178fe89690b0c8e79dfd8621bb3ee7b8815622.pdf

image_load_susp_dll_load_system_process

Title : DLL Load By System Process From Suspicious Locations

Rule id : 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c

Url	Pdf
https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)	pdf/09df39f29fd3edc7bafa28782ba0994c38ce007829107b7da371507068e6cc5b.pdf

image_load_susp_python_image_load

Title : Python Image Load By Non-Python Process

Rule id : cbb56d62-4060-40f7-9466-d8aaf3123f83

Url	Pdf
https://www.py2exe.org/	pdf/639a1f5afe3e6891393c0c992fefd75975025f4a0797ed3733c7f675bd6b76ac.pdf
https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/	pdf/cbddd7b0605ded27fe239b2805d76ced57c11e58de9f8a2ff61a6e983d24423e.pdf

image_load_susp_script_dotnet_clr_dll_load

Title : DotNet CLR DLL Loaded By Scripting Applications

Rule id : 4508a70e-97ef-4300-b62b-ff27992990ea

Url	Pdf
https://github.com/tyranid/DotNetToJScript	pdf/2e8d2a127b73a9b8a1d7d6730107d604eae50ad6b037ad2a36d65d909daa7724.pdf
https://thewover.github.io/Introducing-Donut/	pdf/fb84450cf1d014ca54ed45c42306a62ef656c8031db504f02c997d36ffb80c12.pdf
https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html	pdf/be8630fab39fbc38fb11e53123a857e3dfcbea572a7c225ff7e4b6d85b6a2b38.pdf
https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008	pdf/bc0b172f44c0cefe4d4efa2dbc8aca4779ff3b1d52465b8756a1bcca2f56f553.pdf

image_load_susp_unsigned_dll

Title : Unsigned DLL Loaded by Windows Utility

Rule id : b5de0c9a-6f19-43e0-af4e-55ad01f550af

Url	Pdf
https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion	pdf/8b16927735558b36a755e4cbd2198e672bed61590f2bd1ada691f8694ff57a69.pdf
https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql	pdf/a9fdbbc375fb740f0976055932e769b12f8305d802fea2508ee2f02a1201c04b.pdf
https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true	pdf/dcd850f2b6f3a266974b7bb1e674044041c4e8ba4d37aa233225672ab7e49b9a.pdf

image_load_thor_unsigned_execution

Title : Suspicious Unsigned Thor Scanner Execution

Rule id : ea5c131b-380d-49f9-aeb3-920694da4d4b

Url	Pdf

image_load_uac_bypass_iscsicpl

Title : UAC Bypass Using Iscsicpl - ImageLoad

Rule id : 9ed5959a-c43c-4c59-84e3-d28628429456

Url	Pdf
https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC	pdf/6995afbd75a8910be9860234563d2467929cc6831874ce334a1058d4998056e4.pdf
https://twitter.com/wdormann/status/1547583317410607110	pdf/7c8d22baca44d2efc4d45734c68a23878eccce889f981324a2a1afea31bd9b6d.pdf

image_load_uac_bypass_via_dism

Title : UAC Bypass With Fake DLL

Rule id : a5ea83a7-05a5-44c1-be2e-addccbbd8c03

Url	Pdf
https://steemit.com/utopian-io/@ah101/uac-bypassing-utility	pdf/5e304462cf032311c5d042ada497c672585bac5a0d76cfc73bc5228b99beeb18.pdf

image_load_usp_svchost_clfsw32

Title : APT PRIVATELOG Image Load Pattern

Rule id : 33a2d1dd-f3b0-40bd-8baf-7974468927cc

Url	Pdf
https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html	pdf/7640369a4fc353f55208f3b1e859a241a1028162fde702c93015d03bcb3995b6.pdf

image_load_wmi_module_load_by_uncommon_process

Title : WMI Module Loaded By Uncommon Process

Rule id : 671bb7e3-a020-4824-a00e-2ee5b55f385e

Url	Pdf
https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html	pdf/ae537512f8e3d4a6db552b4887532f7a36009e1628c3df69600a726cf8cb8d12.pdf

image_load_wmi_persistence_commandline_event_consumer

Title : WMI Persistence - Command Line Event Consumer

Rule id : 05936ce2-ee05-4dae-9d03-9a391cf2d2c6

Url	Pdf
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/	pdf/004ad9fb23567ac10f1e6fb8d05c093085a2265e916adb38e141b21aab7a1f43.pdf

image_load_wmic_remote_xsl_scripting_dlls

Title : WMIC Loading Scripting Libraries

Rule id : 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32

Url	Pdf
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html	pdf/046d6de35f563810bf490769b627134ca1cd94fccf70eda970bac851f435f717.pdf
https://twitter.com/dez_/status/986614411711442944	pdf/9be97093973c091aadc7c4520c71374f8d940f046e47a118ba523b50357786cb.pdf
https://lolbas-project.github.io/lolbas/Binaries/Wmic/	pdf/885c7d3d0b37580ae65adca7dbe69c5382fe89353d472246def5f74be416a13f.pdf

image_load_wmiprvse_wbemcomn_dll_hijack

Title : Wmiprvse Wbemcomn DLL Hijack

Rule id : 7707a579-e0d8-4886-a853-ce47e4575aaa

Url	Pdf
https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html	pdf/48fa2f0c27fb84efdab4a9f87c0c08dc3bbcbeed8ccb2e3cb0c99392188266c3.pdf

image_load_wsman_provider_image_load

Title : Suspicious WSMAN Provider Image Loads

Rule id : ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94

Url	Pdf
https://twitter.com/chadtilbury/status/1275851297770610688	pdf/8a42878660ef70895e29e9c9eb3dbb664b80c8c4aa9fbe4eb62c43a5c5319750.pdf
https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/	pdf/e7651788e580b7adcef52467d15bada10edcfc47a87be4dabbbbaa9e9aab3d73.pdf
https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture	pdf/705380443b3a204b87a6929dea108420489d0613adff665779f2bdf99adeb3e4.pdf
https://github.com/bohops/WSMan-WinRM	pdf/757af49b1f0c156977333788b1d9cca13e82981504b0a13f0039351610c7874c.pdf

Files

references_i.md

Latest commit

History