LoFP / false positives will be present based on paths. filter or add other paths to the exclusion as needed.

• T1574
• T1574.001

Sample rules

Windows DLL Search Order Hijacking Hunt

• source: splunk
• technicques:
  • T1574.001
  • T1574

Description

The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*"))  by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process_path 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `drop_dm_object_name(Processes)` 
| lookup hijacklibs library AS process_name OUTPUT islibrary 
| search islibrary = True 
| rename parent_process_name as process_name , process_name AS ImageLoaded, process_path AS Module_Path 
| `windows_dll_search_order_hijacking_hunt_filter`

Windows DLL Search Order Hijacking Hunt with Sysmon

• source: splunk
• technicques:
  • T1574.001
  • T1574

Description

The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment.

Detection logic

`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) 
| lookup hijacklibs library AS loaded_file OUTPUT islibrary 
| search islibrary = True 
| stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file 
| `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`