
Summary
The detection rule focuses on identifying potential malicious activity related to the sideloading of DLLs through the misuse of Windows executables SQLDumper.exe and SQLWriter.exe. This activity is particularly concerning as it indicates that adversaries might be trying to execute arbitrary code within trusted processes, leveraging the legitimate image loading of vcruntime140.dll. The rule utilizes Sysmon logs, specifically EventCode 7, to monitor instances where these executables load the DLL outside the secure System32 directory. Stringent filtering is applied to restrict results to instances that could suggest malicious intent, thereby reducing false positives from legitimate processes. The risks associated with such behavior include potential persistence and evasion tactics by attackers.
Categories
- Windows
- Endpoint
Data Sources
- Pod
- Process
- Sensor Health
ATT&CK Techniques
- T1574.002
Created: 2024-11-13