Potential DLL Sideloading Using OleView.EXE

Rule Info

Name
Potential DLL Sideloading Using OleView.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detect the usage of the 'OleView.EXE' binary for sideloading DLLs. OleView utilizes the LoadLibraryW(ExW) function to load several DLLs necessary for its operation. Due to the absence of full path specifications, the default Windows DLL load order is used. This can be exploited by attackers, who can copy the OleView binary to any location and load malicious DLLs with similar names to those expected by OleView.
Date
2024-08-06 00:00:00
Modified
None
Id
aa37653d-c878-4f29-8cd6-98dd076ccef9
Tags
attack.defense-evasion attack.privilege-escalation attack.t1574.001 attack.t1574.002
Type
Nextron Sigma feed only (private)

Rule History