Unusual Network Connection via DllHost

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/05/28"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command
13and Control activity.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Unusual Network Connection via DllHost"
20references = [
21    "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
22    "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
23    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",
24]
25risk_score = 47
26rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
29type = "eql"
30
31query = '''
32sequence by host.id, process.entity_id with maxspan=1m
33  [process where host.os.type == "windows" and event.type == "start" and process.name : "dllhost.exe" and process.args_count == 1]
34  [network where host.os.type == "windows" and process.name : "dllhost.exe" and
35   not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
36    "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
37    "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
38    "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
39    "FF00::/8")]
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1218"
47name = "System Binary Proxy Execution"
48reference = "https://attack.mitre.org/techniques/T1218/"
49
50
51[rule.threat.tactic]
52id = "TA0005"
53name = "Defense Evasion"
54reference = "https://attack.mitre.org/tactics/TA0005/"

References

  • New sophisticated email-based attack from NOBELIUM | Microsoft Security Blog

    Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation.


    Read More

  • Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns

    On May 25, 2021, Volexity identified a phishing campaign targeting multiple organizations based in the United States and Europe. The following industries have been observed being targeted thus far: NGOs Research Institutions Government Agencies International Agencies The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL file, and a legitimate lure referencing foreign threats to the 2020 US Federal Elections. This blog post provides details on the observed activity and outlines possible justification that this campaign could be related to APT29. Phishing Email Campaign The original e-mails looked like the following: Figure 1. Phishing e-mails sent to numerous organizations Volexity also observed a smaller campaign from the same sender with largely the same content several hours earlier, but with the subject line "USAID Special Alert!". […]


    Read More

  • IANA IPv4 Special-Purpose Address Registry

    0.0.0.0/8 "This network" [RFC791], Section 3.2 1981-09 N/A True False False False True 0.0.0.0/32 "This host on this network" [RFC1122], Section 3.2.1.3 1981-09 N/A True False False False True 10.0...


    Read More

Related rules

to-top