Execution via local SxS Shared Module

calendar Apr 1, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/28"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse
13shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local
14paths.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Execution via local SxS Shared Module"
21note = """## Triage and analysis
22
23The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.
24"""
25references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"]
26risk_score = 47
27rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75"
28setup = """## Setup
29
30If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
31events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
32Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
33`event.ingested` to @timestamp.
34For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
35"""
36severity = "medium"
37tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll"
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1129"
50name = "Shared Modules"
51reference = "https://attack.mitre.org/techniques/T1129/"
52
53
54[rule.threat.tactic]
55id = "TA0002"
56name = "Execution"
57reference = "https://attack.mitre.org/tactics/TA0002/"

Triage and analysis

The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.

References

  • Dynamic-link library redirection - Win32 apps

    If your application depends on a specific version of a shared DLL, and another application is installed with a newer or older version of that DLL, then that can cause a problem; it can cause your app to start to fail. Another use case for DLL redirection is to load a private build of a DLL.


    Read More

Related rules

to-top