Execution via local SxS Shared Module
Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/28"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse
11shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local
12paths.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Execution via local SxS Shared Module"
19note = """## Triage and analysis
20
21The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.
22"""
23references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"]
24risk_score = 47
25rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75"
26setup = """## Setup
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
31`event.ingested` to @timestamp.
32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
33"""
34severity = "medium"
35tags = [
36 "Domain: Endpoint",
37 "OS: Windows",
38 "Use Case: Threat Detection",
39 "Tactic: Execution",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42 "Data Source: Sysmon",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll"
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1129"
56name = "Shared Modules"
57reference = "https://attack.mitre.org/techniques/T1129/"
58
59
60[rule.threat.tactic]
61id = "TA0002"
62name = "Execution"
63reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.
References
-
If your application depends on a specific version of a shared DLL, and another application is installed with a newer or older version of that DLL, then that can cause a problem; it can cause your app to start to fail. Another use case for DLL redirection is to load a private build of a DLL.
Read More
Related rules
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Execution of File Written or Modified by PDF Reader
- Microsoft Build Engine Using an Alternate Name
- Microsoft Exchange Worker Spawning Suspicious Processes