LoFP / false positives will be present based on paths. filter or add other paths to the exclusion as needed. some applications may legitimately load libraries from non-standard paths.

Techniques

• T1574.001

Sample rules

Windows DLL Search Order Hijacking Hunt with Sysmon

• source: splunk
• technicques:
  • T1574.001

Description

The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment.

Detection logic

`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) 
| lookup hijacklibs library AS loaded_file OUTPUT islibrary 
| search islibrary = True 
| stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file 
| `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`