Adversaries may be using appverifUI.DLL to sideload malicious DLLs into trusted processes to maintain persistence and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that leverage DLL sideloading as part of their attack chain.
Detection Rule
title: Potential appverifUI.DLL Sideloading
id: ee6cea48-c5b6-4304-a332-10fc6446f484
status: test
description: Detects potential DLL sideloading of "appverifUI.dll"
references:
- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\appverifUI.dll'
filter_main_legit_path:
Image:
- 'C:\Windows\SysWOW64\appverif.exe'
- 'C:\Windows\System32\appverif.exe'
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
DeviceImageLoadEvents
| where FolderPath endswith "\\appverifUI.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\appverif.exe", "C:\\Windows\\System32\\appverif.exe")) and (FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))))Scenario: System Update or Patching Tool
Description: A legitimate system update tool (e.g., Windows Update, Microsoft Deployment Toolkit) may load appverifUI.DLL as part of its operation.
Filter/Exclusion: Check the process tree for parent processes like wuauclt.exe, msiexec.exe, or setup.exe. Exclude processes with these parent processes.
Scenario: Scheduled Job for Compliance or Security Scan
Description: A scheduled task (e.g., via Task Scheduler) running a security or compliance tool (e.g., Microsoft Defender, SCCM, or third-party antivirus) may trigger this rule.
Filter/Exclusion: Exclude processes launched by schtasks.exe or taskhost.exe and verify if the task is associated with known security tools.
Scenario: Administrative Tool for System Configuration
Description: An admin may use tools like sysprep.exe or dism.exe during system imaging or configuration, which could involve loading appverifUI.DLL.
Filter/Exclusion: Exclude processes initiated by sysprep.exe, dism.exe, or setup.exe during known imaging or deployment workflows.
Scenario: User-Initiated System File Check
Description: A user might run sfc /scannow or DISM to repair system files, which could involve loading appverifUI.DLL as part of the process.
Filter/Exclusion: Exclude processes with command-line arguments like /scannow or /online /Cleanup-Image associated with sfc.exe or dism.exe.
Scenario: Third-Party Software Integration
Description: Some enterprise software (e.g., VMware Tools, Citrix Receiver, or Microsoft Endpoint Manager) may load `appver