@nasbench, I have added suspicious paths and image to reduce the fps. I observed other processes exhibiting such activities in my env.

@nasbench, I have updated the description and added a new rule

Hi @nasbench,
I read an article at https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/. It discusses the possibility of sideloading through OleView.exe. I believe creating a more generic rule in the main rules repository could be beneficial. What are your thoughts on this idea? OR, is there already a pre-existing rule to detect such events?

l. What are your thoughts on this idea

What do you mean by a more generic rule in the rule repo? Also please refrain from adding rules to an already reviewed PR.

HI @nasbench,

Sorry for that. won't happen from next time.
What i mean by more generic is in this rule i have specified dll name because it was detected as a Raspberry Robin IOC. But there are still other dlls that can be sideloaded by Oleview.exe. So, I was thinking of creating a rule where image would be Oleview.exe, but there won't be the dll name. Instead we can filter out legitimately signed DLLs by Microsoft Co-Operation which will gave us only malicious dlls. We can maybe add suspicious path just to be in safe side as well.
I hope you understands my concerns.

Thank you

HI @nasbench,

Sorry for that. won't happen from next time. What i mean by more generic is in this rule i have specified dll name because it was detected as a Raspberry Robin IOC. But there are still other dlls that can be sideloaded by Oleview.exe. So, I was thinking of creating a rule where image would be Oleview.exe, but there won't be the dll name. Instead we can filter out legitimately signed DLLs by Microsoft Co-Operation which will gave us only malicious dlls. We can maybe add suspicious path just to be in safe side as well. I hope you understands my concerns.

Thank you

Yeah we can create such a rule. But filtering MS only DLLs can be a basic approach. We need to double check which DLLs can be sideloaded and if all of them are "signed". Adding the paths would a good best effort to start with.

Add such a rule to this PR and we can work on making it good.

Hi @nasbench,
I have updated the rule to include a filter for legitimate paths, but I haven't removed the aclui.dll because I don't want to contaminate this Raspberry Robin TTP. Therefore, I believe we can research and add other sideloadable DLLs with a separate Pull Request for a different rule.