Unusual Network Connection via DllHost

  1[metadata]
  2creation_date = "2021/05/28"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command
 13and Control activity.
 14"""
 15from = "now-9m"
 16index = [
 17    "winlogbeat-*",
 18    "logs-endpoint.events.process-*",
 19    "logs-endpoint.events.network-*",
 20    "logs-windows.sysmon_operational-*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Unusual Network Connection via DllHost"
 25references = [
 26    "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
 27    "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
 28    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",
 29]
 30risk_score = 47
 31rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a"
 32severity = "medium"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Defense Evasion",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Sysmon",
 40    "Resources: Investigation Guide",
 41]
 42type = "eql"
 43
 44query = '''
 45sequence by host.id, process.entity_id with maxspan=1m
 46  [process where host.os.type == "windows" and event.type == "start" and process.name : "dllhost.exe" and process.args_count == 1]
 47  [network where host.os.type == "windows" and process.name : "dllhost.exe" and
 48   not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
 49    "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
 50    "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
 51    "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
 52    "FF00::/8")]
 53'''
 54note = """## Triage and analysis
 55
 56> **Disclaimer**:
 57> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 58
 59### Investigating Unusual Network Connection via DllHost
 60
 61Dllhost.exe is a legitimate Windows process used to host DLL services. Adversaries may exploit it for stealthy command and control by initiating unauthorized network connections. The detection rule identifies suspicious dllhost.exe activity by monitoring outbound connections to non-local IPs, which may indicate malicious intent. This approach helps in identifying potential threats by focusing on unusual network behaviors associated with this process.
 62
 63### Possible investigation steps
 64
 65- Review the process start event for dllhost.exe to confirm its legitimacy by checking the process arguments and the parent process that initiated it.
 66- Analyze the destination IP addresses involved in the network connections to determine if they are known malicious or suspicious entities, using threat intelligence sources.
 67- Check the timeline of events to see if there are any other unusual activities on the host around the time of the dllhost.exe network connection, such as other process executions or file modifications.
 68- Investigate the user account associated with the dllhost.exe process to determine if there are any signs of compromise or unauthorized access.
 69- Examine the network traffic patterns from the host to identify any other unusual outbound connections that might indicate broader malicious activity.
 70
 71### False positive analysis
 72
 73- Legitimate software updates or system maintenance tasks may cause dllhost.exe to make outbound connections. Users can monitor and whitelist known update servers to prevent these from being flagged.
 74- Certain enterprise applications might use dllhost.exe for legitimate network communications. Identify and document these applications, then create exceptions for their known IP addresses.
 75- Automated scripts or administrative tools that leverage dllhost.exe for network tasks can trigger false positives. Review and exclude these scripts or tools by specifying their associated IP ranges.
 76- Cloud-based services or virtual environments might route traffic through dllhost.exe. Verify these services and exclude their IP addresses from the detection rule to avoid unnecessary alerts.
 77
 78### Response and remediation
 79
 80- Isolate the affected host from the network immediately to prevent further unauthorized communications and potential lateral movement.
 81- Terminate the suspicious dllhost.exe process to stop any ongoing malicious activity and prevent further outbound connections.
 82- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious software or artifacts.
 83- Review and analyze the network logs to identify any other systems that may have been targeted or compromised, and apply similar containment measures if necessary.
 84- Restore the affected system from a known good backup to ensure that any potential backdoors or persistent threats are removed.
 85- Implement network segmentation to limit the ability of similar threats to spread across the network in the future.
 86- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional organizational measures are required."""
 87
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1218"
 93name = "System Binary Proxy Execution"
 94reference = "https://attack.mitre.org/techniques/T1218/"
 95
 96
 97[rule.threat.tactic]
 98id = "TA0005"
 99name = "Defense Evasion"
100reference = "https://attack.mitre.org/tactics/TA0005/"