Execution via local SxS Shared Module

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne  ·
Share on: linkedin copy

Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/28"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse
13shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local
14paths.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Execution via local SxS Shared Module"
21note = """## Triage and analysis
22
23The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.
24"""
25references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"]
26risk_score = 47
27rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75"
28severity = "medium"
29tags = [
30    "Domain: Endpoint",
31    "OS: Windows",
32    "Use Case: Threat Detection",
33    "Tactic: Execution",
34    "Data Source: Elastic Endgame",
35    "Data Source: Elastic Defend",
36    "Data Source: Sysmon",
37    "Data Source: Microsoft Defender for Endpoint",
38    "Data Source: SentinelOne",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll"
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1129"
52name = "Shared Modules"
53reference = "https://attack.mitre.org/techniques/T1129/"
54
55
56[rule.threat.tactic]
57id = "TA0002"
58name = "Execution"
59reference = "https://attack.mitre.org/tactics/TA0002/"

Triage and analysis

The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.

References

  • Dynamic-link library redirection - Win32 apps

    If your application depends on a specific version of a shared DLL, and another application is installed with a newer or older version of that DLL, then that can cause a problem; it can cause your app to start to fail. Another use case for DLL redirection is to load a private build of a DLL.


    Read More

Related rules

to-top