Techniques
Sample rules
Windows DLL Search Order Hijacking Hunt with Sysmon
- source: splunk
- technicques:
- T1574.001
Description
The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment.
Detection logic
`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*"))
| lookup hijacklibs library AS loaded_file OUTPUT islibrary
| search islibrary = True
| stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file
| `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`