Unusual Network Connection via DllHost
Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/28"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command
11and Control activity.
12"""
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-endpoint.events.network-*",
18 "logs-windows.sysmon_operational-*",
19]
20language = "eql"
21license = "Elastic License v2"
22name = "Unusual Network Connection via DllHost"
23references = [
24 "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
25 "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
26 "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",
27]
28risk_score = 47
29rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a"
30severity = "medium"
31tags = [
32 "Domain: Endpoint",
33 "OS: Windows",
34 "Use Case: Threat Detection",
35 "Tactic: Defense Evasion",
36 "Data Source: Elastic Defend",
37 "Data Source: Sysmon",
38]
39type = "eql"
40
41query = '''
42sequence by host.id, process.entity_id with maxspan=1m
43 [process where host.os.type == "windows" and event.type == "start" and process.name : "dllhost.exe" and process.args_count == 1]
44 [network where host.os.type == "windows" and process.name : "dllhost.exe" and
45 not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
46 "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
47 "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
48 "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
49 "FF00::/8")]
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1218"
57name = "System Binary Proxy Execution"
58reference = "https://attack.mitre.org/techniques/T1218/"
59
60
61[rule.threat.tactic]
62id = "TA0005"
63name = "Defense Evasion"
64reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate