Unsigned DLL Loaded by Svchost
Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/17"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above."
6min_stack_version = "8.4.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service
13(svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Unsigned DLL Loaded by Svchost"
20risk_score = 47
21rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
24timestamp_override = "event.ingested"
25type = "eql"
26
27query = '''
28library where host.os.type == "windows" and
29
30 process.executable :
31 ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\Syswow64\\svchost.exe") and
32
33 dll.code_signature.trusted != true and
34
35 not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
36
37 dll.hash.sha256 != null and
38
39 (
40 /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */
41 dll.Ext.relative_file_creation_time <= 300 or
42
43 /* unusual paths */
44 dll.path :("?:\\ProgramData\\*",
45 "?:\\Users\\*",
46 "?:\\PerfLogs\\*",
47 "?:\\Windows\\Tasks\\*",
48 "?:\\Intel\\*",
49 "?:\\AMD\\Temp\\*",
50 "?:\\Windows\\AppReadiness\\*",
51 "?:\\Windows\\ServiceState\\*",
52 "?:\\Windows\\security\\*",
53 "?:\\Windows\\IdentityCRL\\*",
54 "?:\\Windows\\Branding\\*",
55 "?:\\Windows\\csc\\*",
56 "?:\\Windows\\DigitalLocker\\*",
57 "?:\\Windows\\en-US\\*",
58 "?:\\Windows\\wlansvc\\*",
59 "?:\\Windows\\Prefetch\\*",
60 "?:\\Windows\\Fonts\\*",
61 "?:\\Windows\\diagnostics\\*",
62 "?:\\Windows\\TAPI\\*",
63 "?:\\Windows\\INF\\*",
64 "?:\\Windows\\System32\\Speech\\*",
65 "?:\\windows\\tracing\\*",
66 "?:\\windows\\IME\\*",
67 "?:\\Windows\\Performance\\*",
68 "?:\\windows\\intel\\*",
69 "?:\\windows\\ms\\*",
70 "?:\\Windows\\dot3svc\\*",
71 "?:\\Windows\\panther\\*",
72 "?:\\Windows\\RemotePackages\\*",
73 "?:\\Windows\\OCR\\*",
74 "?:\\Windows\\appcompat\\*",
75 "?:\\Windows\\apppatch\\*",
76 "?:\\Windows\\addins\\*",
77 "?:\\Windows\\Setup\\*",
78 "?:\\Windows\\Help\\*",
79 "?:\\Windows\\SKB\\*",
80 "?:\\Windows\\Vss\\*",
81 "?:\\Windows\\servicing\\*",
82 "?:\\Windows\\CbsTemp\\*",
83 "?:\\Windows\\Logs\\*",
84 "?:\\Windows\\WaaS\\*",
85 "?:\\Windows\\twain_32\\*",
86 "?:\\Windows\\ShellExperiences\\*",
87 "?:\\Windows\\ShellComponents\\*",
88 "?:\\Windows\\PLA\\*",
89 "?:\\Windows\\Migration\\*",
90 "?:\\Windows\\debug\\*",
91 "?:\\Windows\\Cursors\\*",
92 "?:\\Windows\\Containers\\*",
93 "?:\\Windows\\Boot\\*",
94 "?:\\Windows\\bcastdvr\\*",
95 "?:\\Windows\\TextInput\\*",
96 "?:\\Windows\\security\\*",
97 "?:\\Windows\\schemas\\*",
98 "?:\\Windows\\SchCache\\*",
99 "?:\\Windows\\Resources\\*",
100 "?:\\Windows\\rescache\\*",
101 "?:\\Windows\\Provisioning\\*",
102 "?:\\Windows\\PrintDialog\\*",
103 "?:\\Windows\\PolicyDefinitions\\*",
104 "?:\\Windows\\media\\*",
105 "?:\\Windows\\Globalization\\*",
106 "?:\\Windows\\L2Schemas\\*",
107 "?:\\Windows\\LiveKernelReports\\*",
108 "?:\\Windows\\ModemLogs\\*",
109 "?:\\Windows\\ImmersiveControlPanel\\*",
110 "?:\\$Recycle.Bin\\*")
111 ) and
112
113 not dll.hash.sha256 :
114 ("3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6",
115 "b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4",
116 "214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba",
117 "23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244",
118 "5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7")
119'''
120
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1543"
126name = "Create or Modify System Process"
127reference = "https://attack.mitre.org/techniques/T1543/"
128[[rule.threat.technique.subtechnique]]
129id = "T1543.003"
130name = "Windows Service"
131reference = "https://attack.mitre.org/techniques/T1543/003/"
132
133
134
135[rule.threat.tactic]
136id = "TA0003"
137name = "Persistence"
138reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Adobe Hijack Persistence
- Component Object Model Hijacking
- Creation of a Hidden Local User Account
- Creation or Modification of a new GPO Scheduled Task or Service
- Execution of Persistent Suspicious Program