The hypothesis is that an adversary is attempting to sideload the AVKkid.DLL file into a process to execute malicious code, leveraging T1574.001 to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential persistence or execution tactics used by advanced threats.
Detection Rule
title: Potential AVKkid.DLL Sideloading
id: 952ed57c-8f99-453d-aee0-53a49c22f95d
status: test
description: Detects potential DLL sideloading of "AVKkid.dll"
references:
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\AVKkid.dll'
filter_main_legit_path:
Image|contains:
- 'C:\Program Files (x86)\G DATA\'
- 'C:\Program Files\G DATA\'
Image|endswith: '\AVKKid.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\G DATA\'
- 'C:\Program Files\G DATA\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\AVKkid.dll" and (not(((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\G DATA\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\G DATA\\") and InitiatingProcessFolderPath endswith "\\AVKKid.exe" and (FolderPath startswith "C:\\Program Files (x86)\\G DATA\\" or FolderPath startswith "C:\\Program Files\\G DATA\\"))))Scenario: Scheduled System Maintenance Task Using AVKkid.DLL
Description: A legitimate system maintenance task, such as a Windows Update or disk cleanup, may use AVKkid.DLL as part of its execution flow.
Filter/Exclusion: Check the CommandLine field for known system maintenance task names (e.g., schtasks.exe, wuauclt.exe) or filter by ProcessName matching svchost.exe or taskhost.exe.
Scenario: Antivirus or Security Software Integration
Description: Some security tools may dynamically load AVKkid.DLL for integration with system services or for hooking into processes.
Filter/Exclusion: Filter by ProcessName matching known security software (e.g., mpsvc.exe for Microsoft Defender, avgnt.exe for AVG) or check the ParentProcess for security tool processes.
Scenario: Administrative Tool for System Configuration
Description: An admin may use tools like regedit.exe or gpedit.msc to modify registry settings that indirectly reference AVKkid.DLL.
Filter/Exclusion: Filter by ProcessName matching regedit.exe or gpedit.msc, or check the ParentProcess for known administrative tools.
Scenario: Legitimate DLL Side-Loading via COM Interop
Description: A .NET application may use COM interop to load AVKkid.DLL as part of its normal operation, especially if it’s registered in the registry.
Filter/Exclusion: Filter by ProcessName matching known .NET applications or check the CommandLine for COM interop-related arguments (e.g., /regserver).
Scenario: System File Integrity Check Using AVKkid.DLL
Description: A system file integrity check tool (