Potential DLL Sideloading Of Non-Existent DLLs From System Folders

 1title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders
 2id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
 3related:
 4    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule
 5      type: similar
 6    - id: 602a1f13-c640-4d73-b053-be9a2fa58b77
 7      type: obsoletes
 8status: test
 9description: |
10    Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories).
11    Usually this technique is used to achieve UAC bypass or privilege escalation.    
12references:
13    - https://decoded.avast.io/martinchlumecky/png-steganography/
14    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
15    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
16    - https://github.com/Wh04m1001/SysmonEoP
17    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
18    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
19author: Nasreddine Bencherchali (Nextron Systems), SBousseaden
20date: 2022/12/09
21modified: 2024/01/10
22tags:
23    - attack.defense_evasion
24    - attack.persistence
25    - attack.privilege_escalation
26    - attack.t1574.001
27    - attack.t1574.002
28logsource:
29    category: image_load
30    product: windows
31detection:
32    selection:
33        ImageLoaded|endswith:
34            # Add other DLLs
35            - ':\Windows\System32\TSMSISrv.dll'
36            - ':\Windows\System32\TSVIPSrv.dll'
37            - ':\Windows\System32\wbem\wbemcomn.dll'
38            - ':\Windows\System32\WLBSCTRL.dll'
39            - ':\Windows\System32\wow64log.dll'
40            - ':\Windows\System32\WptsExtensions.dll'
41    filter_main_ms_signed:
42        Signed: 'true'
43        SignatureStatus: 'Valid'
44        # There could be other signatures (please add when found)
45        Signature: 'Microsoft Windows'
46    condition: selection and not 1 of filter_main_*
47falsepositives:
48    - Unknown
49level: high

References

• PNG Steganography Hides Backdoor - Avast Threat Labs

  

  Our deep analysis of the Worok toolset (previously described by ESET Research) reveals the final stage, hidden in a PNG file, that steals data and provides a multifunctional backdoor using the DropBox repository and API.

  
  Read More

• Lateral Movement — SCM and Dll Hijacking Primer

  

  Using the Service Control Manager and built-in services for lateral movement.

  
  Read More

• CVE-2020-7315 McAfee Agent DLL injection | Clément Notin | Blog

  

  DLL injection in McAfee Agent allowing a local administrator to kill the antivirus, or tamper with it, without knowing the McAfee passwordThe macompatsvc.exe...

  
  Read More

• GitHub - Wh04m1001/SysmonEoP

  

  Contribute to Wh04m1001/SysmonEoP development by creating an account on GitHub.

  
  Read More

• Beyond good ol’ Run key, Part 5

  Time for the 5th part. Today it’s about the Phantom DLLs Hijacking (do not confuse it with ‘DLL Search Order Hijacking’ where order in which paths are searched for is abused). Windows is a huge ope...

  
  Read More

• Windows 10 - Task Scheduler service - Privilege Escalation/Persistence through DLL planting

  

  Abstract I was recently busy doing some reverse on an antivirus solution. During this review, I figured out the Windows 10 Task Schedul...

  
  Read More

Related rules

• Creation Of Non-Existent System DLL
• Third Party Software DLL Sideloading
• DLL Sideloading Of ShellChromeAPI.DLL
• Potential DLL Sideloading Via ClassicExplorer32.dll
• Potential DLL Sideloading Via JsSchHlp