Unsigned DLL Loaded by Svchost
Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/17"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service
11(svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Unsigned DLL Loaded by Svchost"
18references = [
19 "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion",
20]
21risk_score = 47
22rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Persistence",
29 "Tactic: Defense Evasion",
30 "Tactic: Execution",
31 "Data Source: Elastic Defend",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37library where host.os.type == "windows" and
38
39 process.executable :
40 ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\Syswow64\\svchost.exe") and
41
42 dll.code_signature.trusted != true and
43
44 not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
45
46 dll.hash.sha256 != null and
47
48 (
49 /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */
50 dll.Ext.relative_file_creation_time <= 300 or
51
52 /* unusual paths */
53 dll.path :("?:\\ProgramData\\*",
54 "?:\\Users\\*",
55 "?:\\PerfLogs\\*",
56 "?:\\Windows\\Tasks\\*",
57 "?:\\Intel\\*",
58 "?:\\AMD\\Temp\\*",
59 "?:\\Windows\\AppReadiness\\*",
60 "?:\\Windows\\ServiceState\\*",
61 "?:\\Windows\\security\\*",
62 "?:\\Windows\\IdentityCRL\\*",
63 "?:\\Windows\\Branding\\*",
64 "?:\\Windows\\csc\\*",
65 "?:\\Windows\\DigitalLocker\\*",
66 "?:\\Windows\\en-US\\*",
67 "?:\\Windows\\wlansvc\\*",
68 "?:\\Windows\\Prefetch\\*",
69 "?:\\Windows\\Fonts\\*",
70 "?:\\Windows\\diagnostics\\*",
71 "?:\\Windows\\TAPI\\*",
72 "?:\\Windows\\INF\\*",
73 "?:\\Windows\\System32\\Speech\\*",
74 "?:\\windows\\tracing\\*",
75 "?:\\windows\\IME\\*",
76 "?:\\Windows\\Performance\\*",
77 "?:\\windows\\intel\\*",
78 "?:\\windows\\ms\\*",
79 "?:\\Windows\\dot3svc\\*",
80 "?:\\Windows\\panther\\*",
81 "?:\\Windows\\RemotePackages\\*",
82 "?:\\Windows\\OCR\\*",
83 "?:\\Windows\\appcompat\\*",
84 "?:\\Windows\\apppatch\\*",
85 "?:\\Windows\\addins\\*",
86 "?:\\Windows\\Setup\\*",
87 "?:\\Windows\\Help\\*",
88 "?:\\Windows\\SKB\\*",
89 "?:\\Windows\\Vss\\*",
90 "?:\\Windows\\servicing\\*",
91 "?:\\Windows\\CbsTemp\\*",
92 "?:\\Windows\\Logs\\*",
93 "?:\\Windows\\WaaS\\*",
94 "?:\\Windows\\twain_32\\*",
95 "?:\\Windows\\ShellExperiences\\*",
96 "?:\\Windows\\ShellComponents\\*",
97 "?:\\Windows\\PLA\\*",
98 "?:\\Windows\\Migration\\*",
99 "?:\\Windows\\debug\\*",
100 "?:\\Windows\\Cursors\\*",
101 "?:\\Windows\\Containers\\*",
102 "?:\\Windows\\Boot\\*",
103 "?:\\Windows\\bcastdvr\\*",
104 "?:\\Windows\\TextInput\\*",
105 "?:\\Windows\\security\\*",
106 "?:\\Windows\\schemas\\*",
107 "?:\\Windows\\SchCache\\*",
108 "?:\\Windows\\Resources\\*",
109 "?:\\Windows\\rescache\\*",
110 "?:\\Windows\\Provisioning\\*",
111 "?:\\Windows\\PrintDialog\\*",
112 "?:\\Windows\\PolicyDefinitions\\*",
113 "?:\\Windows\\media\\*",
114 "?:\\Windows\\Globalization\\*",
115 "?:\\Windows\\L2Schemas\\*",
116 "?:\\Windows\\LiveKernelReports\\*",
117 "?:\\Windows\\ModemLogs\\*",
118 "?:\\Windows\\ImmersiveControlPanel\\*",
119 "?:\\$Recycle.Bin\\*")
120 ) and
121
122 not dll.hash.sha256 :
123 ("3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6",
124 "b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4",
125 "214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba",
126 "23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244",
127 "5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7")
128'''
129
130
131[[rule.threat]]
132framework = "MITRE ATT&CK"
133[[rule.threat.technique]]
134id = "T1543"
135name = "Create or Modify System Process"
136reference = "https://attack.mitre.org/techniques/T1543/"
137[[rule.threat.technique.subtechnique]]
138id = "T1543.003"
139name = "Windows Service"
140reference = "https://attack.mitre.org/techniques/T1543/003/"
141
142
143
144[rule.threat.tactic]
145id = "TA0003"
146name = "Persistence"
147reference = "https://attack.mitre.org/tactics/TA0003/"
148[[rule.threat]]
149framework = "MITRE ATT&CK"
150[[rule.threat.technique]]
151id = "T1036"
152name = "Masquerading"
153reference = "https://attack.mitre.org/techniques/T1036/"
154[[rule.threat.technique.subtechnique]]
155id = "T1036.001"
156name = "Invalid Code Signature"
157reference = "https://attack.mitre.org/techniques/T1036/001/"
158
159
160
161[rule.threat.tactic]
162id = "TA0005"
163name = "Defense Evasion"
164reference = "https://attack.mitre.org/tactics/TA0005/"
165[[rule.threat]]
166framework = "MITRE ATT&CK"
167[[rule.threat.technique]]
168id = "T1569"
169name = "System Services"
170reference = "https://attack.mitre.org/techniques/T1569/"
171[[rule.threat.technique.subtechnique]]
172id = "T1569.002"
173name = "Service Execution"
174reference = "https://attack.mitre.org/techniques/T1569/002/"
175
176
177
178[rule.threat.tactic]
179id = "TA0002"
180name = "Execution"
181reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Learn more about discovering threats by hunting through DLL load events, one way to reveal the presence of known and unknown malware in noisy process event data.
Read More
Related rules
- Git Hook Child Process
- Git Hook Command Execution
- Git Hook Egress Network Connection
- Suspicious APT Package Manager Execution
- Persistence via a Windows Installer