Unsigned DLL Loaded by Svchost

  1[metadata]
  2creation_date = "2023/01/17"
  3integration = ["endpoint"]
  4maturity = "production"
  5min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above."
  6min_stack_version = "8.4.0"
  7updated_date = "2023/06/22"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service
 13(svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Unsigned DLL Loaded by Svchost"
 20risk_score = 47
 21rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e"
 22severity = "medium"
 23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
 24timestamp_override = "event.ingested"
 25type = "eql"
 26
 27query = '''
 28library where host.os.type == "windows" and
 29
 30 process.executable : 
 31     ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\Syswow64\\svchost.exe") and 
 32     
 33 dll.code_signature.trusted != true and 
 34 
 35 not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and 
 36 
 37 dll.hash.sha256 != null and 
 38 
 39 (
 40       /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */
 41       dll.Ext.relative_file_creation_time <= 300 or 
 42   
 43       /* unusual paths */
 44       dll.path :("?:\\ProgramData\\*",
 45                  "?:\\Users\\*",
 46                  "?:\\PerfLogs\\*",
 47                  "?:\\Windows\\Tasks\\*",
 48                  "?:\\Intel\\*",
 49                  "?:\\AMD\\Temp\\*",
 50                  "?:\\Windows\\AppReadiness\\*",
 51                  "?:\\Windows\\ServiceState\\*",
 52                  "?:\\Windows\\security\\*",
 53                  "?:\\Windows\\IdentityCRL\\*",
 54                  "?:\\Windows\\Branding\\*",
 55                  "?:\\Windows\\csc\\*",
 56                  "?:\\Windows\\DigitalLocker\\*",
 57                  "?:\\Windows\\en-US\\*",
 58                  "?:\\Windows\\wlansvc\\*",
 59                  "?:\\Windows\\Prefetch\\*",
 60                  "?:\\Windows\\Fonts\\*",
 61                  "?:\\Windows\\diagnostics\\*",
 62                  "?:\\Windows\\TAPI\\*",
 63                  "?:\\Windows\\INF\\*",
 64                  "?:\\Windows\\System32\\Speech\\*",
 65                  "?:\\windows\\tracing\\*",
 66                  "?:\\windows\\IME\\*",
 67                  "?:\\Windows\\Performance\\*",
 68                  "?:\\windows\\intel\\*",
 69                  "?:\\windows\\ms\\*",
 70                  "?:\\Windows\\dot3svc\\*",
 71                  "?:\\Windows\\panther\\*",
 72                  "?:\\Windows\\RemotePackages\\*",
 73                  "?:\\Windows\\OCR\\*",
 74                  "?:\\Windows\\appcompat\\*",
 75                  "?:\\Windows\\apppatch\\*",
 76                  "?:\\Windows\\addins\\*",
 77                  "?:\\Windows\\Setup\\*",
 78                  "?:\\Windows\\Help\\*",
 79                  "?:\\Windows\\SKB\\*",
 80                  "?:\\Windows\\Vss\\*",
 81                  "?:\\Windows\\servicing\\*",
 82                  "?:\\Windows\\CbsTemp\\*",
 83                  "?:\\Windows\\Logs\\*",
 84                  "?:\\Windows\\WaaS\\*",
 85                  "?:\\Windows\\twain_32\\*",
 86                  "?:\\Windows\\ShellExperiences\\*",
 87                  "?:\\Windows\\ShellComponents\\*",
 88                  "?:\\Windows\\PLA\\*",
 89                  "?:\\Windows\\Migration\\*",
 90                  "?:\\Windows\\debug\\*",
 91                  "?:\\Windows\\Cursors\\*",
 92                  "?:\\Windows\\Containers\\*",
 93                  "?:\\Windows\\Boot\\*",
 94                  "?:\\Windows\\bcastdvr\\*",
 95                  "?:\\Windows\\TextInput\\*",
 96                  "?:\\Windows\\security\\*",
 97                  "?:\\Windows\\schemas\\*",
 98                  "?:\\Windows\\SchCache\\*",
 99                  "?:\\Windows\\Resources\\*",
100                  "?:\\Windows\\rescache\\*",
101                  "?:\\Windows\\Provisioning\\*",
102                  "?:\\Windows\\PrintDialog\\*",
103                  "?:\\Windows\\PolicyDefinitions\\*",
104                  "?:\\Windows\\media\\*",
105                  "?:\\Windows\\Globalization\\*",
106                  "?:\\Windows\\L2Schemas\\*",
107                  "?:\\Windows\\LiveKernelReports\\*",
108                  "?:\\Windows\\ModemLogs\\*",
109                  "?:\\Windows\\ImmersiveControlPanel\\*",
110                  "?:\\$Recycle.Bin\\*")
111  ) and 
112  
113  not dll.hash.sha256 : 
114            ("3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6", 
115             "b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4", 
116             "214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba", 
117             "23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244", 
118             "5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7")
119'''
120
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1543"
126name = "Create or Modify System Process"
127reference = "https://attack.mitre.org/techniques/T1543/"
128[[rule.threat.technique.subtechnique]]
129id = "T1543.003"
130name = "Windows Service"
131reference = "https://attack.mitre.org/techniques/T1543/003/"
132
133
134
135[rule.threat.tactic]
136id = "TA0003"
137name = "Persistence"
138reference = "https://attack.mitre.org/tactics/TA0003/"