Potential SmadHook.DLL Sideloading

Original Source: [Sigma source]
Title: Potential SmadHook.DLL Sideloading
Status: test
Description:Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
References:
  -https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
   -https://www.qurium.org/alerts/targeted-malware-against-crph/
 Author: X__Junior (Nextron Systems)
Date: 2023-06-01
modified:None
Tags:
  • -'attack.defense-evasion'
  • -'attack.privilege-escalation'
  • -'attack.t1574.001'
Logsource:
  • category: image_load
  • product: windows
Detection:
  selection:
    ImageLoaded|endswith:
      -'\SmadHook32c.dll'
      -'\SmadHook64c.dll'

  filter_main_legit_path:
    Image:
      -'C:\Program Files (x86)\SMADAV\SmadavProtect32.exe'
      -'C:\Program Files (x86)\SMADAV\SmadavProtect64.exe'
      -'C:\Program Files\SMADAV\SmadavProtect32.exe'
      -'C:\Program Files\SMADAV\SmadavProtect64.exe'

    ImageLoaded|startswith:
      -'C:\Program Files (x86)\SMADAV\'
      -'C:\Program Files\SMADAV\'

  condition:selection and not 1 of filter_main_*
Falsepositives:
  -Unlikely
Level: high

© 2024 DetectionCode Website. All Rights Reserved.