Execution via local SxS Shared Module

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/28"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse
13shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local
14paths.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Execution via local SxS Shared Module"
21note = """## Triage and analysis
22
23The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.
24
25## Setup
26
27If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
28"""
29references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"]
30risk_score = 47
31rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75"
32severity = "medium"
33tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll"
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1129"
46name = "Shared Modules"
47reference = "https://attack.mitre.org/techniques/T1129/"
48
49
50[rule.threat.tactic]
51id = "TA0002"
52name = "Execution"
53reference = "https://attack.mitre.org/tactics/TA0002/"

Triage and analysis

The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

References

  • Dynamic-link library redirection - Win32 apps

    If your application depends on a specific version of a shared DLL, and another application is installed with a newer or older version of that DLL, then that can cause a problem; it can cause your app to start to fail. Another use case for DLL redirection is to load a private build of a DLL.


    Read More

Related rules

to-top