Unsigned DLL Side-Loading from a Suspicious Folder

  1[metadata]
  2creation_date = "2022/11/22"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted
 11program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a
 12malicious DLL within the memory space of a signed processes.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.library-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Unsigned DLL Side-Loading from a Suspicious Folder"
 19references = [
 20    "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion",
 21]
 22risk_score = 47
 23rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389"
 24setup = """## Setup
 25
 26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 29`event.ingested` to @timestamp.
 30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 31"""
 32severity = "medium"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Defense Evasion",
 38    "Data Source: Elastic Defend",
 39    "Resources: Investigation Guide",
 40]
 41timestamp_override = "event.ingested"
 42type = "eql"
 43
 44query = '''
 45library where host.os.type == "windows" and
 46
 47 process.code_signature.trusted == true and
 48
 49 (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and
 50
 51  not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining") and
 52
 53      /* Suspicious Paths */
 54      dll.path : ("?:\\PerfLogs\\*.dll",
 55                  "?:\\Users\\*\\Pictures\\*.dll",
 56                  "?:\\Users\\*\\Music\\*.dll",
 57                  "?:\\Users\\Public\\*.dll",
 58                  "?:\\Users\\*\\Documents\\*.dll",
 59                  "?:\\Windows\\Tasks\\*.dll",
 60                  "?:\\Windows\\System32\\Tasks\\*.dll",
 61                  "?:\\Intel\\*.dll",
 62                  "?:\\AMD\\Temp\\*.dll",
 63                  "?:\\Windows\\AppReadiness\\*.dll",
 64                  "?:\\Windows\\ServiceState\\*.dll",
 65                  "?:\\Windows\\security\\*.dll",
 66		  "?:\\Windows\\System\\*.dll",
 67                  "?:\\Windows\\IdentityCRL\\*.dll",
 68                  "?:\\Windows\\Branding\\*.dll",
 69                  "?:\\Windows\\csc\\*.dll",
 70                  "?:\\Windows\\DigitalLocker\\*.dll",
 71                  "?:\\Windows\\en-US\\*.dll",
 72                  "?:\\Windows\\wlansvc\\*.dll",
 73                  "?:\\Windows\\Prefetch\\*.dll",
 74                  "?:\\Windows\\Fonts\\*.dll",
 75                  "?:\\Windows\\diagnostics\\*.dll",
 76                  "?:\\Windows\\TAPI\\*.dll",
 77                  "?:\\Windows\\INF\\*.dll",
 78                  "?:\\windows\\tracing\\*.dll",
 79                  "?:\\windows\\IME\\*.dll",
 80                  "?:\\Windows\\Performance\\*.dll",
 81                  "?:\\windows\\intel\\*.dll",
 82                  "?:\\windows\\ms\\*.dll",
 83                  "?:\\Windows\\dot3svc\\*.dll",
 84                  "?:\\Windows\\ServiceProfiles\\*.dll",
 85                  "?:\\Windows\\panther\\*.dll",
 86                  "?:\\Windows\\RemotePackages\\*.dll",
 87                  "?:\\Windows\\OCR\\*.dll",
 88                  "?:\\Windows\\appcompat\\*.dll",
 89                  "?:\\Windows\\apppatch\\*.dll",
 90                  "?:\\Windows\\addins\\*.dll",
 91                  "?:\\Windows\\Setup\\*.dll",
 92                  "?:\\Windows\\Help\\*.dll",
 93                  "?:\\Windows\\SKB\\*.dll",
 94                  "?:\\Windows\\Vss\\*.dll",
 95                  "?:\\Windows\\Web\\*.dll",
 96                  "?:\\Windows\\servicing\\*.dll",
 97                  "?:\\Windows\\CbsTemp\\*.dll",
 98                  "?:\\Windows\\Logs\\*.dll",
 99                  "?:\\Windows\\WaaS\\*.dll",
100                  "?:\\Windows\\twain_32\\*.dll",
101                  "?:\\Windows\\ShellExperiences\\*.dll",
102                  "?:\\Windows\\ShellComponents\\*.dll",
103                  "?:\\Windows\\PLA\\*.dll",
104                  "?:\\Windows\\Migration\\*.dll",
105                  "?:\\Windows\\debug\\*.dll",
106                  "?:\\Windows\\Cursors\\*.dll",
107                  "?:\\Windows\\Containers\\*.dll",
108                  "?:\\Windows\\Boot\\*.dll",
109                  "?:\\Windows\\bcastdvr\\*.dll",
110                  "?:\\Windows\\TextInput\\*.dll",
111                  "?:\\Windows\\schemas\\*.dll",
112                  "?:\\Windows\\SchCache\\*.dll",
113                  "?:\\Windows\\Resources\\*.dll",
114                  "?:\\Windows\\rescache\\*.dll",
115                  "?:\\Windows\\Provisioning\\*.dll",
116                  "?:\\Windows\\PrintDialog\\*.dll",
117                  "?:\\Windows\\PolicyDefinitions\\*.dll",
118                  "?:\\Windows\\media\\*.dll",
119                  "?:\\Windows\\Globalization\\*.dll",
120                  "?:\\Windows\\L2Schemas\\*.dll",
121                  "?:\\Windows\\LiveKernelReports\\*.dll",
122                  "?:\\Windows\\ModemLogs\\*.dll",
123                  "?:\\Windows\\ImmersiveControlPanel\\*.dll",
124                  "?:\\$Recycle.Bin\\*.dll") and
125
126	 /* DLL loaded from the process.executable current directory */
127	 endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
128'''
129note = """## Triage and analysis
130
131> **Disclaimer**:
132> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
133
134### Investigating Unsigned DLL Side-Loading from a Suspicious Folder
135
136DLL side-loading exploits the trust of signed executables to load malicious DLLs, often from suspicious directories. Adversaries use this to bypass security measures by placing unsigned DLLs in locations mimicking legitimate paths. The detection rule identifies this by checking for trusted programs loading recently modified, unsigned DLLs from atypical directories, signaling potential evasion tactics.
137
138### Possible investigation steps
139
140- Review the process code signature to confirm the legitimacy of the trusted program that loaded the DLL. Check if the process is expected to run from the identified directory.
141- Examine the DLL's path and creation or modification time to determine if it aligns with typical user or system activity. Investigate why the DLL was recently modified or created.
142- Analyze the DLL's code signature status to understand why it is unsigned or has an error status. This can help identify if the DLL is potentially malicious.
143- Investigate the parent process and any associated child processes to understand the context of the DLL loading event. This can provide insights into how the DLL was introduced.
144- Check for any recent changes or anomalies in the system or user activity logs around the time the DLL was created or modified to identify potential indicators of compromise.
145- Correlate the alert with other security events or alerts in the environment to determine if this is part of a broader attack or isolated incident.
146
147### False positive analysis
148
149- Legitimate software updates or installations may temporarily load unsigned DLLs from atypical directories. Users can create exceptions for known update processes by verifying the source and ensuring the process is part of a legitimate update.
150- Custom or in-house applications might load unsigned DLLs from non-standard directories. Users should verify the application's behavior and, if deemed safe, exclude these specific paths or processes from the rule.
151- Development environments often involve testing unsigned DLLs in various directories. Developers can exclude these environments by specifying the directories or processes involved in the development workflow.
152- Some third-party security or system management tools may use unsigned DLLs for legitimate purposes. Users should confirm the tool's legitimacy and add exceptions for these tools to prevent false positives.
153
154### Response and remediation
155
156- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
157- Terminate the process associated with the unsigned DLL to stop any ongoing malicious operations.
158- Quarantine the suspicious DLL file and any related files for further analysis to understand the scope and nature of the threat.
159- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or remnants.
160- Review and restore any altered system configurations or settings to their original state to ensure system integrity.
161- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has impacted other systems.
162- Implement additional monitoring and logging on the affected system and network to detect any recurrence or similar threats in the future."""
163
164
165[[rule.threat]]
166framework = "MITRE ATT&CK"
167[[rule.threat.technique]]
168id = "T1036"
169name = "Masquerading"
170reference = "https://attack.mitre.org/techniques/T1036/"
171[[rule.threat.technique.subtechnique]]
172id = "T1036.001"
173name = "Invalid Code Signature"
174reference = "https://attack.mitre.org/techniques/T1036/001/"
175
176
177[[rule.threat.technique]]
178id = "T1574"
179name = "Hijack Execution Flow"
180reference = "https://attack.mitre.org/techniques/T1574/"
181[[rule.threat.technique.subtechnique]]
182id = "T1574.002"
183name = "DLL Side-Loading"
184reference = "https://attack.mitre.org/techniques/T1574/002/"
185
186
187
188[rule.threat.tactic]
189id = "TA0005"
190name = "Defense Evasion"
191reference = "https://attack.mitre.org/tactics/TA0005/"