Unsigned DLL Side-Loading from a Suspicious Folder
Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/11/22"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted
11program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a
12malicious DLL within the memory space of a signed processes.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.library-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Unsigned DLL Side-Loading from a Suspicious Folder"
19references = [
20 "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion",
21]
22risk_score = 47
23rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389"
24setup = """## Setup
25
26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
29`event.ingested` to @timestamp.
30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
31"""
32severity = "medium"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Defense Evasion",
38 "Data Source: Elastic Defend",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44library where host.os.type == "windows" and
45
46 process.code_signature.trusted == true and
47
48 (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and
49
50 not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining") and
51
52 /* Suspicious Paths */
53 dll.path : ("?:\\PerfLogs\\*.dll",
54 "?:\\Users\\*\\Pictures\\*.dll",
55 "?:\\Users\\*\\Music\\*.dll",
56 "?:\\Users\\Public\\*.dll",
57 "?:\\Users\\*\\Documents\\*.dll",
58 "?:\\Windows\\Tasks\\*.dll",
59 "?:\\Windows\\System32\\Tasks\\*.dll",
60 "?:\\Intel\\*.dll",
61 "?:\\AMD\\Temp\\*.dll",
62 "?:\\Windows\\AppReadiness\\*.dll",
63 "?:\\Windows\\ServiceState\\*.dll",
64 "?:\\Windows\\security\\*.dll",
65 "?:\\Windows\\System\\*.dll",
66 "?:\\Windows\\IdentityCRL\\*.dll",
67 "?:\\Windows\\Branding\\*.dll",
68 "?:\\Windows\\csc\\*.dll",
69 "?:\\Windows\\DigitalLocker\\*.dll",
70 "?:\\Windows\\en-US\\*.dll",
71 "?:\\Windows\\wlansvc\\*.dll",
72 "?:\\Windows\\Prefetch\\*.dll",
73 "?:\\Windows\\Fonts\\*.dll",
74 "?:\\Windows\\diagnostics\\*.dll",
75 "?:\\Windows\\TAPI\\*.dll",
76 "?:\\Windows\\INF\\*.dll",
77 "?:\\windows\\tracing\\*.dll",
78 "?:\\windows\\IME\\*.dll",
79 "?:\\Windows\\Performance\\*.dll",
80 "?:\\windows\\intel\\*.dll",
81 "?:\\windows\\ms\\*.dll",
82 "?:\\Windows\\dot3svc\\*.dll",
83 "?:\\Windows\\ServiceProfiles\\*.dll",
84 "?:\\Windows\\panther\\*.dll",
85 "?:\\Windows\\RemotePackages\\*.dll",
86 "?:\\Windows\\OCR\\*.dll",
87 "?:\\Windows\\appcompat\\*.dll",
88 "?:\\Windows\\apppatch\\*.dll",
89 "?:\\Windows\\addins\\*.dll",
90 "?:\\Windows\\Setup\\*.dll",
91 "?:\\Windows\\Help\\*.dll",
92 "?:\\Windows\\SKB\\*.dll",
93 "?:\\Windows\\Vss\\*.dll",
94 "?:\\Windows\\Web\\*.dll",
95 "?:\\Windows\\servicing\\*.dll",
96 "?:\\Windows\\CbsTemp\\*.dll",
97 "?:\\Windows\\Logs\\*.dll",
98 "?:\\Windows\\WaaS\\*.dll",
99 "?:\\Windows\\twain_32\\*.dll",
100 "?:\\Windows\\ShellExperiences\\*.dll",
101 "?:\\Windows\\ShellComponents\\*.dll",
102 "?:\\Windows\\PLA\\*.dll",
103 "?:\\Windows\\Migration\\*.dll",
104 "?:\\Windows\\debug\\*.dll",
105 "?:\\Windows\\Cursors\\*.dll",
106 "?:\\Windows\\Containers\\*.dll",
107 "?:\\Windows\\Boot\\*.dll",
108 "?:\\Windows\\bcastdvr\\*.dll",
109 "?:\\Windows\\TextInput\\*.dll",
110 "?:\\Windows\\schemas\\*.dll",
111 "?:\\Windows\\SchCache\\*.dll",
112 "?:\\Windows\\Resources\\*.dll",
113 "?:\\Windows\\rescache\\*.dll",
114 "?:\\Windows\\Provisioning\\*.dll",
115 "?:\\Windows\\PrintDialog\\*.dll",
116 "?:\\Windows\\PolicyDefinitions\\*.dll",
117 "?:\\Windows\\media\\*.dll",
118 "?:\\Windows\\Globalization\\*.dll",
119 "?:\\Windows\\L2Schemas\\*.dll",
120 "?:\\Windows\\LiveKernelReports\\*.dll",
121 "?:\\Windows\\ModemLogs\\*.dll",
122 "?:\\Windows\\ImmersiveControlPanel\\*.dll",
123 "?:\\$Recycle.Bin\\*.dll") and
124
125 /* DLL loaded from the process.executable current directory */
126 endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
127'''
128
129
130[[rule.threat]]
131framework = "MITRE ATT&CK"
132[[rule.threat.technique]]
133id = "T1036"
134name = "Masquerading"
135reference = "https://attack.mitre.org/techniques/T1036/"
136[[rule.threat.technique.subtechnique]]
137id = "T1036.001"
138name = "Invalid Code Signature"
139reference = "https://attack.mitre.org/techniques/T1036/001/"
140
141
142[[rule.threat.technique]]
143id = "T1574"
144name = "Hijack Execution Flow"
145reference = "https://attack.mitre.org/techniques/T1574/"
146[[rule.threat.technique.subtechnique]]
147id = "T1574.002"
148name = "DLL Side-Loading"
149reference = "https://attack.mitre.org/techniques/T1574/002/"
150
151
152
153[rule.threat.tactic]
154id = "TA0005"
155name = "Defense Evasion"
156reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Mshta Making Network Connections
- Parent Process PID Spoofing
- Potential Windows Error Manager Masquerading
- Unsigned DLL Loaded by Svchost
- ROT Encoded Python Script Execution