Detects potential DLL sideloading of “SmadHook.dll”, a DLL used by SmadAV antivirus
title: Potential SmadHook.DLL Sideloading
id: 24b6cf51-6122-469e-861a-22974e9c1e5b
status: test
description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
references:
- https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
- https://www.qurium.org/alerts/targeted-malware-against-crph/
author: X__Junior (Nextron Systems)
date: 2023-06-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\SmadHook32c.dll'
- '\SmadHook64c.dll'
filter_main_legit_path:
Image:
- 'C:\Program Files (x86)\SMADAV\SmadavProtect32.exe'
- 'C:\Program Files (x86)\SMADAV\SmadavProtect64.exe'
- 'C:\Program Files\SMADAV\SmadavProtect32.exe'
- 'C:\Program Files\SMADAV\SmadavProtect64.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\SMADAV\'
- 'C:\Program Files\SMADAV\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
DeviceImageLoadEvents
| where (FolderPath endswith "\\SmadHook32c.dll" or FolderPath endswith "\\SmadHook64c.dll") and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe", "C:\\Program Files\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files\\SMADAV\\SmadavProtect64.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\SMADAV\\" or FolderPath startswith "C:\\Program Files\\SMADAV\\"))))| Sentinel Table | Notes |
|---|---|
DeviceImageLoadEvents | Ensure this data connector is enabled |