DLL Sideloading Via ExtExport.EXE

Rule Info

Name
DLL Sideloading Via ExtExport.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects suspicious DLL sideloading activity via ExtExport. The ExtExport allows the export of bookmarks from both the Firefox and Qihoo 360 browsers. In order to achieve this it tries to load 3 specific DLLs via the "LoadLibraryExW" API. An attacker can load any DLLs with similar names via this binary by placing them in arbitrary directories.
Reference
Internal Research
Date
2024-06-06 00:00:00
Modified
None
Id
b3a74d7d-9e8b-4c94-b2c8-bdf1a17d7e02
Tags
attack.defense_evasion attack.privilege_escalation attack.t1574.001 attack.t1574.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022