LoFP LoFP / dlls being loaded by user mode programs for legitimate reasons.

Techniques

Sample rules

Windows Known Abused DLL Loaded Suspiciously

Description

The following analytic detects when DLLs with known abuse history are loaded from an unusual location. This activity may represent an attacker performing a DLL search order or sideload hijacking technique. These techniques are used to gain persistence as well as elevate privileges on the target system. This detection relies on Sysmon EID7 and is compatible with all Officla Sysmon TA versions.

Detection logic

`sysmon` ImageLoaded EventCode=7 NOT ImageLoaded IN ("*\\Program Files*","*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest process_exec process_guid process_hash process_id process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product loaded_file 
| rename Image as process 
| eval process_name = case(isnotnull(process),replace(process,"(.*\\\)(?=.*(\.\w*)$
|(\w+)$)","")), loaded_file_path = case(isnotnull(loaded_file), replace(loaded_file, "(:[\w\. ]+)", "")), loaded_file = case(isnotnull(loaded_file),replace(loaded_file,"(.*\\\)(?=.*(\.\w*)$
|(\w+)$)","")), user = case(NOT user IN ("-"), replace(user, "(.*)\\\(.+)$","\2")) 
| lookup hijacklibs_loaded library AS loaded_file OUTPUT islibrary comment as desc 
| lookup hijacklibs_loaded library AS loaded_file excludes as loaded_file_path OUTPUT islibrary as excluded 
| search islibrary = TRUE AND excluded = false 
| stats count min(_time) as firstTime max(_time) as lastTime by dest loaded_file loaded_file_path process process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_known_abused_dll_loaded_suspiciously_filter`