Potential Initial Access via DLL Search Order Hijacking
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
Sigma rule (View on GitHub)
1title: Potential Initial Access via DLL Search Order Hijacking
2id: dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
3status: test
4description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
5references:
6 - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc
7 - https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
8author: Tim Rauch (rule), Elastic (idea)
9date: 2022-10-21
10tags:
11 - attack.t1566
12 - attack.t1566.001
13 - attack.initial-access
14 - attack.t1574
15 - attack.t1574.001
16 - attack.defense-evasion
17logsource:
18 product: windows
19 category: file_event
20detection:
21 selection:
22 Image|endswith:
23 # add more processes when you find them
24 - '\winword.exe'
25 - '\excel.exe'
26 - '\powerpnt.exe'
27 - '\MSACCESS.EXE'
28 - '\MSPUB.EXE'
29 - '\fltldr.exe'
30 - '\cmd.exe'
31 - '\certutil.exe'
32 - '\mshta.exe'
33 - '\cscript.exe'
34 - '\wscript.exe'
35 - '\curl.exe'
36 - '\powershell.exe'
37 - '\pwsh.exe'
38 TargetFilename|endswith: '.dll'
39 TargetFilename|contains|all:
40 - '\Users\'
41 - '\AppData\'
42 TargetFilename|contains:
43 # add more suspicious paths when you find them
44 - '\Microsoft\OneDrive\'
45 - '\Microsoft OneDrive\'
46 - '\Microsoft\Teams\'
47 - '\Local\slack\app-'
48 - '\Local\Programs\Microsoft VS Code\'
49 filter:
50 Image|endswith: '\cmd.exe'
51 TargetFilename|contains|all:
52 - '\Users\'
53 - '\AppData\'
54 - '\Microsoft\OneDrive\'
55 - '\api-ms-win-core-'
56 condition: selection and not filter
57falsepositives:
58 - Unknown
59level: medium
References
Related rules
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- Password Protected ZIP File Opened (Email Attachment)
- Suspicious Execution via macOS Script Editor
- Suspicious Microsoft OneNote Child Process