The hypothesis is that an adversary is attempting to sideload the Libvlc.DLL file to execute malicious code by replacing or injecting it into legitimate processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential DLL sideloading attacks that could lead to code execution and lateral movement.
Detection Rule
title: Potential Libvlc.DLL Sideloading
id: bf9808c4-d24f-44a2-8398-b65227d406b6
status: test
description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
references:
- https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
- https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html
author: X__Junior
date: 2023-04-17
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\libvlc.dll'
filter_main_vlc:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\VideoLAN\VLC\'
- 'C:\Program Files\VideoLAN\VLC\'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives are expected if VLC is installed in non-default locations
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\libvlc.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\VideoLAN\\VLC\\" or FolderPath startswith "C:\\Program Files\\VideoLAN\\VLC\\")))Scenario: Legitimate use of Libvlc.DLL by a media player application
Description: A user is running a legitimate media player (e.g., VLC Media Player) that uses libvlc.dll as part of its normal operation.
Filter/Exclusion: Check the process name and path. Exclude processes from known trusted vendors (e.g., vlc.exe from VideoLAN) and ensure the DLL is located in the application’s installation directory.
Scenario: System update or patch installation
Description: A system update or patch (e.g., Windows Update, Microsoft Defender ATP) may temporarily load libvlc.dll as part of its installation or configuration process.
Filter/Exclusion: Exclude processes associated with system updates (e.g., wusa.exe, setup.exe) and check the source of the DLL (e.g., system directories like C:\Windows\System32).
Scenario: Scheduled job or automation task using Libvlc.DLL
Description: A scheduled task or automation script (e.g., using PowerShell or a batch file) may invoke a tool that relies on libvlc.dll for media processing.
Filter/Exclusion: Exclude processes initiated by scheduled tasks (e.g., schtasks.exe), and verify the task’s origin and script content to ensure it’s part of a known, authorized automation workflow.
Scenario: Admin tool or script using Libvlc.DLL for media processing
Description: An administrator may use a script or tool (e.g., ffmpeg, ffplay, or a custom script) that leverages libvlc.dll to process media files as part of a system maintenance or reporting task.
Filter/Exclusion: Exclude processes initiated by admin tools or scripts that are known to use libvlc.dll for legitimate purposes, and check the user context