DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
Sigma rule (View on GitHub)
1title: DLL Search Order Hijackig Via Additional Space in Path
2id: b6f91281-20aa-446a-b986-38a92813a18f
3status: test
4description: |
5 Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
6 but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
7references:
8 - https://twitter.com/cyb3rops/status/1552932770464292864
9 - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
10author: frack113, Nasreddine Bencherchali
11date: 2022/07/30
12tags:
13 - attack.persistence
14 - attack.privilege_escalation
15 - attack.defense_evasion
16 - attack.t1574.002
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection:
22 TargetFilename|startswith:
23 - 'C:\Windows \'
24 - 'C:\Program Files \'
25 - 'C:\Program Files (x86) \'
26 TargetFilename|endswith: '.dll'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
-
DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.
Read More
Related rules
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Potential DLL Sideloading Via JsSchHlp
- Potential DLL Sideloading Via comctl32.dll