Potential Masquerading as VLC DLL
Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate applications to deceive machine learning algorithms by incorporating authentic and benign code.
Rule type: eql
Rule indices:
- logs-endpoint.events.library-*
Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:
Tags:
- Domain: Endpoint
- Data Source: Elastic Defend
- OS: Windows
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Tactic: Persistence
- Rule Type: BBR
Version: ?
Rule authors:
- Elastic
Rule license: Elastic License v2
library where host.os.type == "windows" and event.action == "load" and
dll.name : ("libvlc.dll", "libvlccore.dll", "axvlc.dll") and
not (
dll.code_signature.subject_name : ("VideoLAN", "716F2E5E-A03A-486B-BC67-9B18474B9D51")
and dll.code_signature.trusted == true
)
Framework: MITRE ATT&CK
Tactic:
- Name: Defense Evasion
- Id: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Masquerading
- Id: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/
Sub Technique:
- Name: Invalid Code Signature
- Id: T1036.001
- Reference URL: https://attack.mitre.org/techniques/T1036/001/
Sub Technique:
- Name: Match Legitimate Resource Name or Location
- Id: T1036.005
- Reference URL: https://attack.mitre.org/techniques/T1036/005/
Framework: MITRE ATT&CK
Tactic:
- Name: Persistence
- Id: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Compromise Host Software Binary
- Id: T1554
- Reference URL: https://attack.mitre.org/techniques/T1554/