Unsigned DLL Loaded by Svchost
Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/17"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service
11(svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Unsigned DLL Loaded by Svchost"
18risk_score = 47
19rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e"
20severity = "medium"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Persistence",
26 "Tactic: Defense Evasion",
27 "Tactic: Execution",
28 "Data Source: Elastic Defend",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34library where host.os.type == "windows" and
35
36 process.executable :
37 ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\Syswow64\\svchost.exe") and
38
39 dll.code_signature.trusted != true and
40
41 not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
42
43 dll.hash.sha256 != null and
44
45 (
46 /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */
47 dll.Ext.relative_file_creation_time <= 300 or
48
49 /* unusual paths */
50 dll.path :("?:\\ProgramData\\*",
51 "?:\\Users\\*",
52 "?:\\PerfLogs\\*",
53 "?:\\Windows\\Tasks\\*",
54 "?:\\Intel\\*",
55 "?:\\AMD\\Temp\\*",
56 "?:\\Windows\\AppReadiness\\*",
57 "?:\\Windows\\ServiceState\\*",
58 "?:\\Windows\\security\\*",
59 "?:\\Windows\\IdentityCRL\\*",
60 "?:\\Windows\\Branding\\*",
61 "?:\\Windows\\csc\\*",
62 "?:\\Windows\\DigitalLocker\\*",
63 "?:\\Windows\\en-US\\*",
64 "?:\\Windows\\wlansvc\\*",
65 "?:\\Windows\\Prefetch\\*",
66 "?:\\Windows\\Fonts\\*",
67 "?:\\Windows\\diagnostics\\*",
68 "?:\\Windows\\TAPI\\*",
69 "?:\\Windows\\INF\\*",
70 "?:\\Windows\\System32\\Speech\\*",
71 "?:\\windows\\tracing\\*",
72 "?:\\windows\\IME\\*",
73 "?:\\Windows\\Performance\\*",
74 "?:\\windows\\intel\\*",
75 "?:\\windows\\ms\\*",
76 "?:\\Windows\\dot3svc\\*",
77 "?:\\Windows\\panther\\*",
78 "?:\\Windows\\RemotePackages\\*",
79 "?:\\Windows\\OCR\\*",
80 "?:\\Windows\\appcompat\\*",
81 "?:\\Windows\\apppatch\\*",
82 "?:\\Windows\\addins\\*",
83 "?:\\Windows\\Setup\\*",
84 "?:\\Windows\\Help\\*",
85 "?:\\Windows\\SKB\\*",
86 "?:\\Windows\\Vss\\*",
87 "?:\\Windows\\servicing\\*",
88 "?:\\Windows\\CbsTemp\\*",
89 "?:\\Windows\\Logs\\*",
90 "?:\\Windows\\WaaS\\*",
91 "?:\\Windows\\twain_32\\*",
92 "?:\\Windows\\ShellExperiences\\*",
93 "?:\\Windows\\ShellComponents\\*",
94 "?:\\Windows\\PLA\\*",
95 "?:\\Windows\\Migration\\*",
96 "?:\\Windows\\debug\\*",
97 "?:\\Windows\\Cursors\\*",
98 "?:\\Windows\\Containers\\*",
99 "?:\\Windows\\Boot\\*",
100 "?:\\Windows\\bcastdvr\\*",
101 "?:\\Windows\\TextInput\\*",
102 "?:\\Windows\\security\\*",
103 "?:\\Windows\\schemas\\*",
104 "?:\\Windows\\SchCache\\*",
105 "?:\\Windows\\Resources\\*",
106 "?:\\Windows\\rescache\\*",
107 "?:\\Windows\\Provisioning\\*",
108 "?:\\Windows\\PrintDialog\\*",
109 "?:\\Windows\\PolicyDefinitions\\*",
110 "?:\\Windows\\media\\*",
111 "?:\\Windows\\Globalization\\*",
112 "?:\\Windows\\L2Schemas\\*",
113 "?:\\Windows\\LiveKernelReports\\*",
114 "?:\\Windows\\ModemLogs\\*",
115 "?:\\Windows\\ImmersiveControlPanel\\*",
116 "?:\\$Recycle.Bin\\*")
117 ) and
118
119 not dll.hash.sha256 :
120 ("3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6",
121 "b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4",
122 "214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba",
123 "23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244",
124 "5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7")
125'''
126
127
128[[rule.threat]]
129framework = "MITRE ATT&CK"
130[[rule.threat.technique]]
131id = "T1543"
132name = "Create or Modify System Process"
133reference = "https://attack.mitre.org/techniques/T1543/"
134[[rule.threat.technique.subtechnique]]
135id = "T1543.003"
136name = "Windows Service"
137reference = "https://attack.mitre.org/techniques/T1543/003/"
138
139
140
141[rule.threat.tactic]
142id = "TA0003"
143name = "Persistence"
144reference = "https://attack.mitre.org/tactics/TA0003/"
145[[rule.threat]]
146framework = "MITRE ATT&CK"
147[[rule.threat.technique]]
148id = "T1036"
149name = "Masquerading"
150reference = "https://attack.mitre.org/techniques/T1036/"
151[[rule.threat.technique.subtechnique]]
152id = "T1036.001"
153name = "Invalid Code Signature"
154reference = "https://attack.mitre.org/techniques/T1036/001/"
155
156
157
158[rule.threat.tactic]
159id = "TA0005"
160name = "Defense Evasion"
161reference = "https://attack.mitre.org/tactics/TA0005/"
162[[rule.threat]]
163framework = "MITRE ATT&CK"
164[[rule.threat.technique]]
165id = "T1569"
166name = "System Services"
167reference = "https://attack.mitre.org/techniques/T1569/"
168[[rule.threat.technique.subtechnique]]
169id = "T1569.002"
170name = "Service Execution"
171reference = "https://attack.mitre.org/techniques/T1569/002/"
172
173
174
175[rule.threat.tactic]
176id = "TA0002"
177name = "Execution"
178reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Delayed Execution via Ping
- Microsoft Build Engine Started by a Script Process
- Microsoft Build Engine Using an Alternate Name