Unsigned DLL Side-Loading from a Suspicious Folder
Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/11/22"
3maturity = "production"
4integration = ["endpoint"]
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.4.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted
13program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading
14a malicious DLL within the memory space of a signed processes.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Unsigned DLL Side-Loading from a Suspicious Folder"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25risk_score = 47
26rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33library where host.os.type == "windows" and
34
35 process.code_signature.trusted == true and
36
37 (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and
38
39 not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining") and
40
41 /* Suspicious Paths */
42 dll.path : ("?:\\PerfLogs\\*.dll",
43 "?:\\Users\\*\\Pictures\\*.dll",
44 "?:\\Users\\*\\Music\\*.dll",
45 "?:\\Users\\Public\\*.dll",
46 "?:\\Users\\*\\Documents\\*.dll",
47 "?:\\Windows\\Tasks\\*.dll",
48 "?:\\Windows\\System32\\Tasks\\*.dll",
49 "?:\\Intel\\*.dll",
50 "?:\\AMD\\Temp\\*.dll",
51 "?:\\Windows\\AppReadiness\\*.dll",
52 "?:\\Windows\\ServiceState\\*.dll",
53 "?:\\Windows\\security\\*.dll",
54 "?:\\Windows\\System\\*.dll",
55 "?:\\Windows\\IdentityCRL\\*.dll",
56 "?:\\Windows\\Branding\\*.dll",
57 "?:\\Windows\\csc\\*.dll",
58 "?:\\Windows\\DigitalLocker\\*.dll",
59 "?:\\Windows\\en-US\\*.dll",
60 "?:\\Windows\\wlansvc\\*.dll",
61 "?:\\Windows\\Prefetch\\*.dll",
62 "?:\\Windows\\Fonts\\*.dll",
63 "?:\\Windows\\diagnostics\\*.dll",
64 "?:\\Windows\\TAPI\\*.dll",
65 "?:\\Windows\\INF\\*.dll",
66 "?:\\windows\\tracing\\*.dll",
67 "?:\\windows\\IME\\*.dll",
68 "?:\\Windows\\Performance\\*.dll",
69 "?:\\windows\\intel\\*.dll",
70 "?:\\windows\\ms\\*.dll",
71 "?:\\Windows\\dot3svc\\*.dll",
72 "?:\\Windows\\ServiceProfiles\\*.dll",
73 "?:\\Windows\\panther\\*.dll",
74 "?:\\Windows\\RemotePackages\\*.dll",
75 "?:\\Windows\\OCR\\*.dll",
76 "?:\\Windows\\appcompat\\*.dll",
77 "?:\\Windows\\apppatch\\*.dll",
78 "?:\\Windows\\addins\\*.dll",
79 "?:\\Windows\\Setup\\*.dll",
80 "?:\\Windows\\Help\\*.dll",
81 "?:\\Windows\\SKB\\*.dll",
82 "?:\\Windows\\Vss\\*.dll",
83 "?:\\Windows\\Web\\*.dll",
84 "?:\\Windows\\servicing\\*.dll",
85 "?:\\Windows\\CbsTemp\\*.dll",
86 "?:\\Windows\\Logs\\*.dll",
87 "?:\\Windows\\WaaS\\*.dll",
88 "?:\\Windows\\twain_32\\*.dll",
89 "?:\\Windows\\ShellExperiences\\*.dll",
90 "?:\\Windows\\ShellComponents\\*.dll",
91 "?:\\Windows\\PLA\\*.dll",
92 "?:\\Windows\\Migration\\*.dll",
93 "?:\\Windows\\debug\\*.dll",
94 "?:\\Windows\\Cursors\\*.dll",
95 "?:\\Windows\\Containers\\*.dll",
96 "?:\\Windows\\Boot\\*.dll",
97 "?:\\Windows\\bcastdvr\\*.dll",
98 "?:\\Windows\\TextInput\\*.dll",
99 "?:\\Windows\\schemas\\*.dll",
100 "?:\\Windows\\SchCache\\*.dll",
101 "?:\\Windows\\Resources\\*.dll",
102 "?:\\Windows\\rescache\\*.dll",
103 "?:\\Windows\\Provisioning\\*.dll",
104 "?:\\Windows\\PrintDialog\\*.dll",
105 "?:\\Windows\\PolicyDefinitions\\*.dll",
106 "?:\\Windows\\media\\*.dll",
107 "?:\\Windows\\Globalization\\*.dll",
108 "?:\\Windows\\L2Schemas\\*.dll",
109 "?:\\Windows\\LiveKernelReports\\*.dll",
110 "?:\\Windows\\ModemLogs\\*.dll",
111 "?:\\Windows\\ImmersiveControlPanel\\*.dll",
112 "?:\\$Recycle.Bin\\*.dll") and
113
114 /* DLL loaded from the process.executable current directory */
115 endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
116'''
117
118
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121[[rule.threat.technique]]
122id = "T1574"
123name = "Hijack Execution Flow"
124reference = "https://attack.mitre.org/techniques/T1574/"
125[[rule.threat.technique.subtechnique]]
126id = "T1574.002"
127name = "DLL Side-Loading"
128reference = "https://attack.mitre.org/techniques/T1574/002/"
129
130
131
132[rule.threat.tactic]
133id = "TA0005"
134name = "Defense Evasion"
135reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
Related rules
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Clearing Windows Console History
- Clearing Windows Event Logs
- Code Signing Policy Modification Through Built-in tools