Unsigned DLL Loaded by Windows Utility

 1title: Unsigned DLL Loaded by Windows Utility
 2id: b5de0c9a-6f19-43e0-af4e-55ad01f550af
 3status: experimental
 4description: |
 5    Detects windows utilities loading an unsigned or untrusted DLL.
 6    Adversaries often abuse those programs to proxy execution of malicious code.    
 7references:
 8    - https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion
 9    - https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
10    - https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
11author: Swachchhanda Shrawan Poudel
12date: 2024/02/28
13modified: 2024/03/07
14tags:
15    - attack.t1218.011
16    - attack.t1218.010
17    - attack.defense_evasion
18logsource:
19    product: windows
20    category: image_load
21detection:
22    selection:
23        Image|endswith:
24            # Note: Add additional utilities that allow the loading of DLLs
25            - '\InstallUtil.exe'
26            - '\RegAsm.exe'
27            - '\RegSvcs.exe'
28            - '\regsvr32.exe'
29            - '\rundll32.exe'
30    filter_main_signed:
31        Signed: 'true'
32    filter_main_sig_status:
33        SignatureStatus:
34            - 'errorChaining'
35            - 'errorCode_endpoint'
36            - 'errorExpired'
37            - 'trusted'
38    filter_main_signed_null:
39        Signed: null
40    filter_main_signed_empty:
41        Signed:
42            - ''
43            - '-'
44    filter_main_sig_status_null:
45        SignatureStatus: null
46    filter_main_sig_status_empty:
47        SignatureStatus:
48            - ''
49            - '-'
50    condition: selection and not 1 of filter_main_*
51falsepositives:
52    - Unknown
53level: medium

References

• Hunting for Suspicious Windows Libraries for Execution and Defense Evasion — Elastic Security Labs

  

  Learn more about discovering threats by hunting through DLL load events, one way to reveal the presence of known and unknown malware in noisy process event data.

  
  Read More

• Hunting Unsigned DLLs Using KQL

  

  Unsigned DLLs, or dynamic-link libraries, are executable files that contain code that can be used by multiple programs on a Windows system. While DLLs can be a useful and efficient way to share code between applications, they can also be a security r...

  
  Read More

• Hunting for Unsigned DLLs to Find APTs

  

  Hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in your environment. Our examples include well-known APTs.

  
  Read More

Related rules

• HTML Help HH.EXE Suspicious Child Process
• Suspicious HH.EXE Execution
• Potential PowerShell Execution Via DLL
• Potential Raspberry Robin CPL Execution Activity
• APT29 2018 Phishing Campaign CommandLine Indicators