Unsigned DLL Loaded by Svchost
Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/17"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service
11(svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Unsigned DLL Loaded by Svchost"
18references = [
19 "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion",
20]
21risk_score = 47
22rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Persistence",
29 "Tactic: Defense Evasion",
30 "Tactic: Execution",
31 "Data Source: Elastic Defend",
32 "Resources: Investigation Guide",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38library where host.os.type == "windows" and
39
40 process.executable :
41 ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\Syswow64\\svchost.exe") and
42
43 dll.code_signature.trusted != true and
44
45 not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
46
47 dll.hash.sha256 != null and
48
49 (
50 /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */
51 dll.Ext.relative_file_creation_time <= 300 or
52
53 /* unusual paths */
54 dll.path :("?:\\ProgramData\\*",
55 "?:\\Users\\*",
56 "?:\\PerfLogs\\*",
57 "?:\\Windows\\Tasks\\*",
58 "?:\\Intel\\*",
59 "?:\\AMD\\Temp\\*",
60 "?:\\Windows\\AppReadiness\\*",
61 "?:\\Windows\\ServiceState\\*",
62 "?:\\Windows\\security\\*",
63 "?:\\Windows\\IdentityCRL\\*",
64 "?:\\Windows\\Branding\\*",
65 "?:\\Windows\\csc\\*",
66 "?:\\Windows\\DigitalLocker\\*",
67 "?:\\Windows\\en-US\\*",
68 "?:\\Windows\\wlansvc\\*",
69 "?:\\Windows\\Prefetch\\*",
70 "?:\\Windows\\Fonts\\*",
71 "?:\\Windows\\diagnostics\\*",
72 "?:\\Windows\\TAPI\\*",
73 "?:\\Windows\\INF\\*",
74 "?:\\Windows\\System32\\Speech\\*",
75 "?:\\windows\\tracing\\*",
76 "?:\\windows\\IME\\*",
77 "?:\\Windows\\Performance\\*",
78 "?:\\windows\\intel\\*",
79 "?:\\windows\\ms\\*",
80 "?:\\Windows\\dot3svc\\*",
81 "?:\\Windows\\panther\\*",
82 "?:\\Windows\\RemotePackages\\*",
83 "?:\\Windows\\OCR\\*",
84 "?:\\Windows\\appcompat\\*",
85 "?:\\Windows\\apppatch\\*",
86 "?:\\Windows\\addins\\*",
87 "?:\\Windows\\Setup\\*",
88 "?:\\Windows\\Help\\*",
89 "?:\\Windows\\SKB\\*",
90 "?:\\Windows\\Vss\\*",
91 "?:\\Windows\\servicing\\*",
92 "?:\\Windows\\CbsTemp\\*",
93 "?:\\Windows\\Logs\\*",
94 "?:\\Windows\\WaaS\\*",
95 "?:\\Windows\\twain_32\\*",
96 "?:\\Windows\\ShellExperiences\\*",
97 "?:\\Windows\\ShellComponents\\*",
98 "?:\\Windows\\PLA\\*",
99 "?:\\Windows\\Migration\\*",
100 "?:\\Windows\\debug\\*",
101 "?:\\Windows\\Cursors\\*",
102 "?:\\Windows\\Containers\\*",
103 "?:\\Windows\\Boot\\*",
104 "?:\\Windows\\bcastdvr\\*",
105 "?:\\Windows\\TextInput\\*",
106 "?:\\Windows\\security\\*",
107 "?:\\Windows\\schemas\\*",
108 "?:\\Windows\\SchCache\\*",
109 "?:\\Windows\\Resources\\*",
110 "?:\\Windows\\rescache\\*",
111 "?:\\Windows\\Provisioning\\*",
112 "?:\\Windows\\PrintDialog\\*",
113 "?:\\Windows\\PolicyDefinitions\\*",
114 "?:\\Windows\\media\\*",
115 "?:\\Windows\\Globalization\\*",
116 "?:\\Windows\\L2Schemas\\*",
117 "?:\\Windows\\LiveKernelReports\\*",
118 "?:\\Windows\\ModemLogs\\*",
119 "?:\\Windows\\ImmersiveControlPanel\\*",
120 "?:\\$Recycle.Bin\\*")
121 ) and
122
123 not dll.hash.sha256 :
124 ("3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6",
125 "b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4",
126 "214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba",
127 "23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244",
128 "5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7")
129'''
130note = """## Triage and analysis
131
132> **Disclaimer**:
133> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
134
135### Investigating Unsigned DLL Loaded by Svchost
136
137Svchost.exe is a critical Windows process that hosts multiple services, allowing efficient resource management. Adversaries exploit this by loading unsigned DLLs to gain persistence or execute code with elevated privileges. The detection rule identifies such threats by monitoring DLLs recently created and loaded by svchost, focusing on untrusted signatures and unusual file paths, thus highlighting potential malicious activity.
138
139### Possible investigation steps
140
141- Review the specific DLL file path and hash (dll.path and dll.hash.sha256) to determine if it is known to be associated with legitimate software or if it is potentially malicious.
142- Check the creation time of the DLL (dll.Ext.relative_file_creation_time) to understand the timeline of events and correlate it with other activities on the system around the same time.
143- Investigate the process that loaded the DLL (process.executable) to determine if it is a legitimate instance of svchost.exe or if it has been tampered with or replaced.
144- Analyze the code signature status (dll.code_signature.trusted and dll.code_signature.status) to verify if the DLL is unsigned or has an untrusted signature, which could indicate tampering or a malicious origin.
145- Cross-reference the DLL's hash (dll.hash.sha256) against known malware databases or threat intelligence sources to identify if it is associated with known threats.
146- Examine the system for other indicators of compromise, such as unusual network activity or additional suspicious files, to assess the scope of potential malicious activity.
147- Consider isolating the affected system to prevent further potential compromise while conducting a deeper forensic analysis.
148
149### False positive analysis
150
151- System maintenance or updates may trigger the rule by loading legitimate unsigned DLLs. Users can create exceptions for known update processes or maintenance activities to prevent unnecessary alerts.
152- Custom or in-house applications might load unsigned DLLs from unusual paths. Verify the legitimacy of these applications and consider adding their specific paths to the exclusion list if they are deemed safe.
153- Security or monitoring tools might use unsigned DLLs for legitimate purposes. Identify these tools and exclude their associated DLLs by hash or path to reduce false positives.
154- Temporary files created by legitimate software in monitored directories can be mistaken for threats. Regularly review and update the exclusion list to include hashes of these known benign files.
155- Development environments often generate unsigned DLLs during testing phases. Ensure that development paths are excluded from monitoring to avoid false alerts during software development cycles.
156
157### Response and remediation
158
159- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
160- Terminate the svchost.exe process that loaded the unsigned DLL to stop any ongoing malicious actions.
161- Remove the identified unsigned DLL from the system to eliminate the immediate threat.
162- Conduct a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats.
163- Review and restore any modified system configurations or settings to their original state to ensure system integrity.
164- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected.
165- Implement enhanced monitoring and logging for svchost.exe and DLL loading activities to detect similar threats in the future."""
166
167
168[[rule.threat]]
169framework = "MITRE ATT&CK"
170[[rule.threat.technique]]
171id = "T1543"
172name = "Create or Modify System Process"
173reference = "https://attack.mitre.org/techniques/T1543/"
174[[rule.threat.technique.subtechnique]]
175id = "T1543.003"
176name = "Windows Service"
177reference = "https://attack.mitre.org/techniques/T1543/003/"
178
179
180
181[rule.threat.tactic]
182id = "TA0003"
183name = "Persistence"
184reference = "https://attack.mitre.org/tactics/TA0003/"
185[[rule.threat]]
186framework = "MITRE ATT&CK"
187[[rule.threat.technique]]
188id = "T1036"
189name = "Masquerading"
190reference = "https://attack.mitre.org/techniques/T1036/"
191[[rule.threat.technique.subtechnique]]
192id = "T1036.001"
193name = "Invalid Code Signature"
194reference = "https://attack.mitre.org/techniques/T1036/001/"
195
196
197
198[rule.threat.tactic]
199id = "TA0005"
200name = "Defense Evasion"
201reference = "https://attack.mitre.org/tactics/TA0005/"
202[[rule.threat]]
203framework = "MITRE ATT&CK"
204[[rule.threat.technique]]
205id = "T1569"
206name = "System Services"
207reference = "https://attack.mitre.org/techniques/T1569/"
208[[rule.threat.technique.subtechnique]]
209id = "T1569.002"
210name = "Service Execution"
211reference = "https://attack.mitre.org/techniques/T1569/002/"
212
213
214
215[rule.threat.tactic]
216id = "TA0002"
217name = "Execution"
218reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unsigned DLL Loaded by Svchost
Svchost.exe is a critical Windows process that hosts multiple services, allowing efficient resource management. Adversaries exploit this by loading unsigned DLLs to gain persistence or execute code with elevated privileges. The detection rule identifies such threats by monitoring DLLs recently created and loaded by svchost, focusing on untrusted signatures and unusual file paths, thus highlighting potential malicious activity.
Possible investigation steps
- Review the specific DLL file path and hash (dll.path and dll.hash.sha256) to determine if it is known to be associated with legitimate software or if it is potentially malicious.
- Check the creation time of the DLL (dll.Ext.relative_file_creation_time) to understand the timeline of events and correlate it with other activities on the system around the same time.
- Investigate the process that loaded the DLL (process.executable) to determine if it is a legitimate instance of svchost.exe or if it has been tampered with or replaced.
- Analyze the code signature status (dll.code_signature.trusted and dll.code_signature.status) to verify if the DLL is unsigned or has an untrusted signature, which could indicate tampering or a malicious origin.
- Cross-reference the DLL's hash (dll.hash.sha256) against known malware databases or threat intelligence sources to identify if it is associated with known threats.
- Examine the system for other indicators of compromise, such as unusual network activity or additional suspicious files, to assess the scope of potential malicious activity.
- Consider isolating the affected system to prevent further potential compromise while conducting a deeper forensic analysis.
False positive analysis
- System maintenance or updates may trigger the rule by loading legitimate unsigned DLLs. Users can create exceptions for known update processes or maintenance activities to prevent unnecessary alerts.
- Custom or in-house applications might load unsigned DLLs from unusual paths. Verify the legitimacy of these applications and consider adding their specific paths to the exclusion list if they are deemed safe.
- Security or monitoring tools might use unsigned DLLs for legitimate purposes. Identify these tools and exclude their associated DLLs by hash or path to reduce false positives.
- Temporary files created by legitimate software in monitored directories can be mistaken for threats. Regularly review and update the exclusion list to include hashes of these known benign files.
- Development environments often generate unsigned DLLs during testing phases. Ensure that development paths are excluded from monitoring to avoid false alerts during software development cycles.
Response and remediation
- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
- Terminate the svchost.exe process that loaded the unsigned DLL to stop any ongoing malicious actions.
- Remove the identified unsigned DLL from the system to eliminate the immediate threat.
- Conduct a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats.
- Review and restore any modified system configurations or settings to their original state to ensure system integrity.
- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected.
- Implement enhanced monitoring and logging for svchost.exe and DLL loading activities to detect similar threats in the future.
References
-
Learn more about discovering threats by hunting through DLL load events, one way to reveal the presence of known and unknown malware in noisy process event data.
Read More
Related rules
- Delayed Execution via Ping
- Git Hook Egress Network Connection
- Persistence via a Windows Installer
- Component Object Model Hijacking
- AWS SSM `SendCommand` with Run Shell Command Parameters