community icon indicating copy to clipboard operation
community copied to clipboard

Create signature for DLL sideloading

Open kevross33 opened this issue 2 months ago • 0 comments

Initial signature for one behaviour that appears in some sideloading cases. For this to trigger either zip_compound needs to be used triggering the correct file that then sideloads the DLL or within the chain naturally (i.e. a loader/malicious script/doc etc. pulls down the elements needed itself and sideloads it.

Some other sigs will need investigated for anomalies on this which I am looking into but this should detect some cases.

APT28 sideload sample (dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027) image

kevross33 avatar Sep 18 '25 15:09 kevross33