Unsigned DLL Side-Loading from a Suspicious Folder
Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/11/22"
3maturity = "production"
4integration = ["endpoint"]
5min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above."
6min_stack_version = "8.4.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted
13program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading
14a malicious DLL within the memory space of a signed processes.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.library-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Unsigned DLL Side-Loading from a Suspicious Folder"
21risk_score = 47
22rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37library where host.os.type == "windows" and
38
39 process.code_signature.trusted == true and
40
41 (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and
42
43 not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining") and
44
45 /* Suspicious Paths */
46 dll.path : ("?:\\PerfLogs\\*.dll",
47 "?:\\Users\\*\\Pictures\\*.dll",
48 "?:\\Users\\*\\Music\\*.dll",
49 "?:\\Users\\Public\\*.dll",
50 "?:\\Users\\*\\Documents\\*.dll",
51 "?:\\Windows\\Tasks\\*.dll",
52 "?:\\Windows\\System32\\Tasks\\*.dll",
53 "?:\\Intel\\*.dll",
54 "?:\\AMD\\Temp\\*.dll",
55 "?:\\Windows\\AppReadiness\\*.dll",
56 "?:\\Windows\\ServiceState\\*.dll",
57 "?:\\Windows\\security\\*.dll",
58 "?:\\Windows\\System\\*.dll",
59 "?:\\Windows\\IdentityCRL\\*.dll",
60 "?:\\Windows\\Branding\\*.dll",
61 "?:\\Windows\\csc\\*.dll",
62 "?:\\Windows\\DigitalLocker\\*.dll",
63 "?:\\Windows\\en-US\\*.dll",
64 "?:\\Windows\\wlansvc\\*.dll",
65 "?:\\Windows\\Prefetch\\*.dll",
66 "?:\\Windows\\Fonts\\*.dll",
67 "?:\\Windows\\diagnostics\\*.dll",
68 "?:\\Windows\\TAPI\\*.dll",
69 "?:\\Windows\\INF\\*.dll",
70 "?:\\windows\\tracing\\*.dll",
71 "?:\\windows\\IME\\*.dll",
72 "?:\\Windows\\Performance\\*.dll",
73 "?:\\windows\\intel\\*.dll",
74 "?:\\windows\\ms\\*.dll",
75 "?:\\Windows\\dot3svc\\*.dll",
76 "?:\\Windows\\ServiceProfiles\\*.dll",
77 "?:\\Windows\\panther\\*.dll",
78 "?:\\Windows\\RemotePackages\\*.dll",
79 "?:\\Windows\\OCR\\*.dll",
80 "?:\\Windows\\appcompat\\*.dll",
81 "?:\\Windows\\apppatch\\*.dll",
82 "?:\\Windows\\addins\\*.dll",
83 "?:\\Windows\\Setup\\*.dll",
84 "?:\\Windows\\Help\\*.dll",
85 "?:\\Windows\\SKB\\*.dll",
86 "?:\\Windows\\Vss\\*.dll",
87 "?:\\Windows\\Web\\*.dll",
88 "?:\\Windows\\servicing\\*.dll",
89 "?:\\Windows\\CbsTemp\\*.dll",
90 "?:\\Windows\\Logs\\*.dll",
91 "?:\\Windows\\WaaS\\*.dll",
92 "?:\\Windows\\twain_32\\*.dll",
93 "?:\\Windows\\ShellExperiences\\*.dll",
94 "?:\\Windows\\ShellComponents\\*.dll",
95 "?:\\Windows\\PLA\\*.dll",
96 "?:\\Windows\\Migration\\*.dll",
97 "?:\\Windows\\debug\\*.dll",
98 "?:\\Windows\\Cursors\\*.dll",
99 "?:\\Windows\\Containers\\*.dll",
100 "?:\\Windows\\Boot\\*.dll",
101 "?:\\Windows\\bcastdvr\\*.dll",
102 "?:\\Windows\\TextInput\\*.dll",
103 "?:\\Windows\\schemas\\*.dll",
104 "?:\\Windows\\SchCache\\*.dll",
105 "?:\\Windows\\Resources\\*.dll",
106 "?:\\Windows\\rescache\\*.dll",
107 "?:\\Windows\\Provisioning\\*.dll",
108 "?:\\Windows\\PrintDialog\\*.dll",
109 "?:\\Windows\\PolicyDefinitions\\*.dll",
110 "?:\\Windows\\media\\*.dll",
111 "?:\\Windows\\Globalization\\*.dll",
112 "?:\\Windows\\L2Schemas\\*.dll",
113 "?:\\Windows\\LiveKernelReports\\*.dll",
114 "?:\\Windows\\ModemLogs\\*.dll",
115 "?:\\Windows\\ImmersiveControlPanel\\*.dll",
116 "?:\\$Recycle.Bin\\*.dll") and
117
118 /* DLL loaded from the process.executable current directory */
119 endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
120'''
121
122
123[[rule.threat]]
124framework = "MITRE ATT&CK"
125[[rule.threat.technique]]
126id = "T1036"
127name = "Masquerading"
128reference = "https://attack.mitre.org/techniques/T1036/"
129
130[[rule.threat.technique.subtechnique]]
131id = "T1036.001"
132name = "Invalid Code Signature"
133reference = "https://attack.mitre.org/techniques/T1036/001/"
134
135[[rule.threat.technique]]
136id = "T1574"
137name = "Hijack Execution Flow"
138reference = "https://attack.mitre.org/techniques/T1574/"
139[[rule.threat.technique.subtechnique]]
140id = "T1574.002"
141name = "DLL Side-Loading"
142reference = "https://attack.mitre.org/techniques/T1574/002/"
143
144
145
146[rule.threat.tactic]
147id = "TA0005"
148name = "Defense Evasion"
149reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Bypass UAC via Event Viewer
- Clearing Windows Console History
- Clearing Windows Event Logs