Adversaries may sideload malicious DLLs associated with antivirus software to evade detection and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and prevent advanced persistent threats.
Detection Rule
title: Potential Antivirus Software DLL Sideloading
id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
status: test
description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2025-10-07
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
# Bitdefender
selection_bitdefender:
ImageLoaded|endswith: '\log.dll'
filter_log_dll_bitdefender:
ImageLoaded|startswith:
- 'C:\Program Files\Bitdefender Antivirus Free\'
- 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
filter_log_dll_dell_sar:
Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
ImageLoaded:
- 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
- 'C:\Program Files\Dell\SARemediation\audit\log.dll'
filter_log_dll_canon:
ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
filter_log_dll_avast:
ImageLoaded:
- 'C:\Program Files\AVAST Software\Avast\log.dll'
- 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
filter_log_dll_avg:
ImageLoaded:
- 'C:\Program Files\AVG\Antivirus\log.dll'
- 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
# F-Secure
selection_fsecure:
ImageLoaded|endswith: '\qrt.dll'
filter_fsecure:
ImageLoaded|startswith:
- 'C:\Program Files\F-Secure\Anti-Virus\'
- 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
# McAfee
selection_mcafee:
ImageLoaded|endswith:
- '\ashldres.dll'
- '\lockdown.dll'
- '\vsodscpl.dll'
filter_mcafee:
ImageLoaded|startswith:
- 'C:\Program Files\McAfee\'
- 'C:\Program Files (x86)\McAfee\'
# CyberArk
selection_cyberark:
ImageLoaded|endswith: '\vftrace.dll'
filter_cyberark:
ImageLoaded|startswith:
- 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
- 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
# Avast
selection_avast:
ImageLoaded|endswith: '\wsc.dll'
filter_wsc_dll_avast:
ImageLoaded|startswith:
- 'C:\program Files\AVAST Software\Avast\'
- 'C:\program Files (x86)\AVAST Software\Avast\'
filter_wsc_dll_avg:
ImageLoaded|startswith:
- 'C:\Program Files\AVG\Antivirus\'
- 'C:\Program Files (x86)\AVG\Antivirus\'
# ESET
selection_eset_deslock:
ImageLoaded|endswith: '\DLPPREM32.dll'
filter_eset_deslock:
ImageLoaded|startswith:
- 'C:\program Files\ESET'
- 'C:\program Files (x86)\ESET'
# Trend Micro Titanium
selection_titanium:
ImageLoaded|endswith: '\tmdbglog.dll'
filter_titanium:
ImageLoaded|startswith:
- 'C:\program Files\Trend Micro\Titanium\'
- 'C:\program Files (x86)\Trend Micro\Titanium\'
condition: (selection_bitdefender and not 1 of filter_log_dll_*)
or (selection_fsecure and not filter_fsecure)
or (selection_mcafee and not filter_mcafee)
or (selection_cyberark and not filter_cyberark)
or (selection_avast and not 1 of filter_wsc_dll_*)
or (selection_titanium and not filter_titanium)
or (selection_eset_deslock and not filter_eset_deslock)
falsepositives:
- Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
- Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
- The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
level: medium
DeviceImageLoadEvents
| where (FolderPath endswith "\\log.dll" and (not(((FolderPath startswith "C:\\Program Files\\Bitdefender Antivirus Free\\" or FolderPath startswith "C:\\Program Files (x86)\\Bitdefender Antivirus Free\\") or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Dell\\SARemediation\\audit\\TelemetryUtility.exe" and (FolderPath in~ ("C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll", "C:\\Program Files\\Dell\\SARemediation\\audit\\log.dll"))) or FolderPath startswith "C:\\Program Files\\Canon\\MyPrinter\\" or (FolderPath in~ ("C:\\Program Files\\AVAST Software\\Avast\\log.dll", "C:\\Program Files (x86)\\AVAST Software\\Avast\\log.dll")) or (FolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\log.dll", "C:\\Program Files (x86)\\AVG\\Antivirus\\log.dll")))))) or (FolderPath endswith "\\qrt.dll" and (not((FolderPath startswith "C:\\Program Files\\F-Secure\\Anti-Virus\\" or FolderPath startswith "C:\\Program Files (x86)\\F-Secure\\Anti-Virus\\")))) or ((FolderPath endswith "\\ashldres.dll" or FolderPath endswith "\\lockdown.dll" or FolderPath endswith "\\vsodscpl.dll") and (not((FolderPath startswith "C:\\Program Files\\McAfee\\" or FolderPath startswith "C:\\Program Files (x86)\\McAfee\\")))) or (FolderPath endswith "\\vftrace.dll" and (not((FolderPath startswith "C:\\Program Files\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\" or FolderPath startswith "C:\\Program Files (x86)\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\")))) or (FolderPath endswith "\\wsc.dll" and (not(((FolderPath startswith "C:\\program Files\\AVAST Software\\Avast\\" or FolderPath startswith "C:\\program Files (x86)\\AVAST Software\\Avast\\") or (FolderPath startswith "C:\\Program Files\\AVG\\Antivirus\\" or FolderPath startswith "C:\\Program Files (x86)\\AVG\\Antivirus\\"))))) or (FolderPath endswith "\\tmdbglog.dll" and (not((FolderPath startswith "C:\\program Files\\Trend Micro\\Titanium\\" or FolderPath startswith "C:\\program Files (x86)\\Trend Micro\\Titanium\\")))) or (FolderPath endswith "\\DLPPREM32.dll" and (not((FolderPath startswith "C:\\program Files\\ESET" or FolderPath startswith "C:\\program Files (x86)\\ESET"))))Scenario: Scheduled Antivirus Update Task
Description: A legitimate scheduled task runs an antivirus update that temporarily loads a DLL from a non-standard location.
Filter/Exclusion: Exclude processes associated with Windows Defender or McAfee Agent using the process name or parent process filter. Example: process.name = "MsMpEng.exe" or process.name = "McAgent.exe"
Scenario: Admin Task to Replace Antivirus DLLs
Description: A system administrator manually replaces a DLL in the antivirus software directory as part of a patch or update process.
Filter/Exclusion: Exclude processes initiated by a known admin user (e.g., Administrator) or those running from the antivirus software installation directory (e.g., C:\Program Files\Symantec\...).
Scenario: Antivirus Software Self-Update via PowerShell
Description: The antivirus software uses a PowerShell script to download and load a DLL as part of its self-update mechanism.
Filter/Exclusion: Exclude processes initiated by powershell.exe that are associated with known antivirus vendors (e.g., Symantec Endpoint Protection, Kaspersky Lab).
Scenario: DLL Side-Loading for Compatibility Testing
Description: A developer or QA team is testing compatibility by loading a DLL from an antivirus software package into a test application.
Filter/Exclusion: Exclude processes that are part of a development or testing environment (e.g., Visual Studio, TestRunner.exe) or those running under a specific test user account.
Scenario: Antivirus Software Integration with Third-Party Tools
Description: An antivirus tool integrates with a third-party security or monitoring tool, which may load a DLL from the antivirus directory.
Filter/Exclusion: Exclude processes that are known to be part of integration tools (e