Name:Windows BitDefender Submission Wizard DLL Sideloading id:a1b2c3d4-e5f6-4789-a012-3456789abcde version:1 date:2026-03-13 author:Michael Haag, Splunk status:experimental type:TTP Description:Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events.
Data_source:
-Sysmon EventID 7
search:`sysmon` EventCode=7 ( Image IN ( "*\\BDSubmit.exe", "*\\bdsw.exe", "*\\BluetoothService.exe" ) OR OriginalFileName IN ( "BDSubmit.exe", "bdsw.exe" ) ) ImageLoaded="*\\log.dll" NOT ImageLoaded IN ( "*:\\Program Files (x86)\\*", "*:\\Program Files\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*" ) | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded Signed SignatureStatus User OriginalFileName loaded_file loaded_file_path process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bitdefender_submission_wizard_dll_sideloading_filter`
how_to_implement:Ingest Sysmon ImageLoad events and ensure the Splunk Add-on for Sysmon is configured to parse them. Enable ImageLoad in Sysmon config for DLLs. Map logs to Endpoint data model where applicable.
known_false_positives:Legitimate Bitdefender installations loading log.dll from Program Files are excluded. Allowlist known paths as needed.
References: -https://attack.mitre.org/techniques/T1574/002/ -https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ -https://attack.mitre.org/groups/G0065/ drilldown_searches: name:'View the detection results for - "$dest$" and "$User$"' search:'%original_detection_search% | search dest = "$dest$" User = "$User$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$User$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$User$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Lotus Blossom Chrysalis Backdoor' asset_type:Endpoint mitre_attack_id: - 'T1574' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint cve:
