cscli scenarios install sigmahq/proc_creation_win_dll_sideload_vmware_xfer1type: trigger2name: sigmahq/proc_creation_win_dll_sideload_vmware_xfer3description: |4 Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.Image endsWith '\\VMwareXferlogs.exe' && not (evt.Parsed.Image startsWith 'C:\\Program Files\\VMware\\'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1574.0021516 label: "DLL Sideloading by VMware Xfer Utility"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324