The hypothesis is that an adversary is attempting to sideload the Iviewers.DLL file to execute malicious code by loading it into a legitimate process. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential DLL sideloading attacks that could lead to code execution and lateral movement.
Detection Rule
title: Potential Iviewers.DLL Sideloading
id: 4c21b805-4dd7-469f-b47d-7383a8fcb437
status: test
description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
references:
- https://www.secureworks.com/research/shadowpad-malware-analysis
author: X__Junior (Nextron Systems)
date: 2023-03-21
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\iviewers.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Windows Kits\'
- 'C:\Program Files\Windows Kits\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
DeviceImageLoadEvents
| where FolderPath endswith "\\iviewers.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\")))Scenario: System Update or Patch Deployment
Description: A legitimate system update or patch deployment may involve copying iViewers.dll to a system directory as part of the update process.
Filter/Exclusion: Check the file’s hash against known good hashes from trusted update sources (e.g., Microsoft, vendor patches). Use a filter like:
file_hash == "known_good_hash"Scenario: Scheduled Job for Log Processing
Description: A scheduled job running a log processing tool (e.g., Splunk, ELK Stack, or custom log parser) might copy iViewers.dll to a temporary directory for use in parsing or analyzing logs.
Filter/Exclusion: Exclude files in known log processing directories (e.g., C:\Program Files\ELK\temp\) or filter by process name:
process_name == "splunkd.exe" OR process_name == "logstash.exe"Scenario: Administrative Tool Installation
Description: An administrative tool (e.g., Microsoft System Center, SCCM, or third-party management software) may include iViewers.dll as part of its installation or configuration process.
Filter/Exclusion: Exclude files in known installation directories (e.g., C:\Program Files\Microsoft\SystemCenter\) or filter by process name:
process_name == "setup.exe" OR process_name == "sccmclient.exe"Scenario: User-Initiated File Copy for Custom Scripting
Description: A user may manually copy iViewers.dll to a script directory for use in a custom script or automation task (e.g., PowerShell or batch scripts).
Filter/Exclusion: Exclude files in user-specific directories (e.g.,