KnowledgeDeliver BLUEBEAM Reported Artifacts
Hunts for the BLUEBEAM filename and SHA-256 value and for anomalous User-Agent components reported during exploitation of KnowledgeDeliver. The values are historical and require application and host context.
Sigma source
Raw YAMLtitle: KnowledgeDeliver BLUEBEAM Reported Artifacts
id: df713958-bc91-46d0-a186-86d472ff8982
status: experimental
author: FRAME ZERO
date: 2026-07-15
description: Hunts for the BLUEBEAM filename and SHA-256 value and for anomalous User-Agent components reported during exploitation of KnowledgeDeliver. The values are historical and require application and host context.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/
logsource:
product: windows
detection:
selection_file_name:
TargetFilename|endswith: '\LoadLibrary.dll'
selection_loaded_image:
ImageLoaded|endswith: '\LoadLibrary.dll'
selection_hash:
Hashes|contains: '7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2'
selection_user_agent:
UserAgent|contains:
- 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2'
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36'
- 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101213 Opera/9.80 (Windows NT 6.1; U; zh-tw) Presto/2.7.62 Version/11.01'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205'
condition: 1 of selection_*
falsepositives:
- Unrelated software using the generic LoadLibrary.dll filename
- Security testing or scanning that copies the published User-Agent components
- Historical endpoint records retained after the affected application was remediated
level: medium
tags:
- attack.persistence
- attack.t1505.003
telemetry_assumptions:
- Endpoint telemetry records file paths, loaded images, and SHA-256 values on KnowledgeDeliver or IIS hosts.
- IIS, proxy, or web application telemetry maps the full request User-Agent into UserAgent for correlation.
- Analysts correlate matches with the affected application, ViewState errors, IIS process behavior, and web-root changes.
related_publication: knowledgedeliver-viewstate-zero-day-bluebeam