Unsigned DLL Side-Loading from a Suspicious Folder
Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/11/22"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted
11program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a
12malicious DLL within the memory space of a signed processes.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.library-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Unsigned DLL Side-Loading from a Suspicious Folder"
19risk_score = 47
20rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389"
21setup = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
24events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
25Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
26`event.ingested` to @timestamp.
27For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
28"""
29severity = "medium"
30tags = [
31 "Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Defense Evasion",
35 "Data Source: Elastic Defend",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41library where host.os.type == "windows" and
42
43 process.code_signature.trusted == true and
44
45 (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and
46
47 not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining") and
48
49 /* Suspicious Paths */
50 dll.path : ("?:\\PerfLogs\\*.dll",
51 "?:\\Users\\*\\Pictures\\*.dll",
52 "?:\\Users\\*\\Music\\*.dll",
53 "?:\\Users\\Public\\*.dll",
54 "?:\\Users\\*\\Documents\\*.dll",
55 "?:\\Windows\\Tasks\\*.dll",
56 "?:\\Windows\\System32\\Tasks\\*.dll",
57 "?:\\Intel\\*.dll",
58 "?:\\AMD\\Temp\\*.dll",
59 "?:\\Windows\\AppReadiness\\*.dll",
60 "?:\\Windows\\ServiceState\\*.dll",
61 "?:\\Windows\\security\\*.dll",
62 "?:\\Windows\\System\\*.dll",
63 "?:\\Windows\\IdentityCRL\\*.dll",
64 "?:\\Windows\\Branding\\*.dll",
65 "?:\\Windows\\csc\\*.dll",
66 "?:\\Windows\\DigitalLocker\\*.dll",
67 "?:\\Windows\\en-US\\*.dll",
68 "?:\\Windows\\wlansvc\\*.dll",
69 "?:\\Windows\\Prefetch\\*.dll",
70 "?:\\Windows\\Fonts\\*.dll",
71 "?:\\Windows\\diagnostics\\*.dll",
72 "?:\\Windows\\TAPI\\*.dll",
73 "?:\\Windows\\INF\\*.dll",
74 "?:\\windows\\tracing\\*.dll",
75 "?:\\windows\\IME\\*.dll",
76 "?:\\Windows\\Performance\\*.dll",
77 "?:\\windows\\intel\\*.dll",
78 "?:\\windows\\ms\\*.dll",
79 "?:\\Windows\\dot3svc\\*.dll",
80 "?:\\Windows\\ServiceProfiles\\*.dll",
81 "?:\\Windows\\panther\\*.dll",
82 "?:\\Windows\\RemotePackages\\*.dll",
83 "?:\\Windows\\OCR\\*.dll",
84 "?:\\Windows\\appcompat\\*.dll",
85 "?:\\Windows\\apppatch\\*.dll",
86 "?:\\Windows\\addins\\*.dll",
87 "?:\\Windows\\Setup\\*.dll",
88 "?:\\Windows\\Help\\*.dll",
89 "?:\\Windows\\SKB\\*.dll",
90 "?:\\Windows\\Vss\\*.dll",
91 "?:\\Windows\\Web\\*.dll",
92 "?:\\Windows\\servicing\\*.dll",
93 "?:\\Windows\\CbsTemp\\*.dll",
94 "?:\\Windows\\Logs\\*.dll",
95 "?:\\Windows\\WaaS\\*.dll",
96 "?:\\Windows\\twain_32\\*.dll",
97 "?:\\Windows\\ShellExperiences\\*.dll",
98 "?:\\Windows\\ShellComponents\\*.dll",
99 "?:\\Windows\\PLA\\*.dll",
100 "?:\\Windows\\Migration\\*.dll",
101 "?:\\Windows\\debug\\*.dll",
102 "?:\\Windows\\Cursors\\*.dll",
103 "?:\\Windows\\Containers\\*.dll",
104 "?:\\Windows\\Boot\\*.dll",
105 "?:\\Windows\\bcastdvr\\*.dll",
106 "?:\\Windows\\TextInput\\*.dll",
107 "?:\\Windows\\schemas\\*.dll",
108 "?:\\Windows\\SchCache\\*.dll",
109 "?:\\Windows\\Resources\\*.dll",
110 "?:\\Windows\\rescache\\*.dll",
111 "?:\\Windows\\Provisioning\\*.dll",
112 "?:\\Windows\\PrintDialog\\*.dll",
113 "?:\\Windows\\PolicyDefinitions\\*.dll",
114 "?:\\Windows\\media\\*.dll",
115 "?:\\Windows\\Globalization\\*.dll",
116 "?:\\Windows\\L2Schemas\\*.dll",
117 "?:\\Windows\\LiveKernelReports\\*.dll",
118 "?:\\Windows\\ModemLogs\\*.dll",
119 "?:\\Windows\\ImmersiveControlPanel\\*.dll",
120 "?:\\$Recycle.Bin\\*.dll") and
121
122 /* DLL loaded from the process.executable current directory */
123 endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
124'''
125
126
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129[[rule.threat.technique]]
130id = "T1036"
131name = "Masquerading"
132reference = "https://attack.mitre.org/techniques/T1036/"
133[[rule.threat.technique.subtechnique]]
134id = "T1036.001"
135name = "Invalid Code Signature"
136reference = "https://attack.mitre.org/techniques/T1036/001/"
137
138
139[[rule.threat.technique]]
140id = "T1574"
141name = "Hijack Execution Flow"
142reference = "https://attack.mitre.org/techniques/T1574/"
143[[rule.threat.technique.subtechnique]]
144id = "T1574.002"
145name = "DLL Side-Loading"
146reference = "https://attack.mitre.org/techniques/T1574/002/"
147
148
149
150[rule.threat.tactic]
151id = "TA0005"
152name = "Defense Evasion"
153reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Adding Hidden File Attribute via Attrib
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Attempt to Install Kali Linux via WSL
- Clearing Windows Console History
- Clearing Windows Event Logs