LoFP LoFP / false positives will be present based on paths. filter or add other paths to the exclusion as needed. some applications may legitimately load libraries from non-standard paths.

Sample rules

Windows DLL Search Order Hijacking Hunt with Sysmon

Description

This hunting analytic identifies known Windows libraries potentially used in DLL search order hijacking or DLL Sideloading scenarios. Such cases may necessitate recompiling the DLL, relocating the DLL, or moving the vulnerable process. The query searches for any processes running outside of system32 or syswow64 directories. Certain libraries inherently operate from different application paths and must be added to the exclusion list as required. The lookup includes Microsoft native libraries cataloged in the Hijacklibs.net project.

Detection logic

`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) 
| lookup hijacklibs library AS loaded_file OUTPUT islibrary 
| search islibrary = True 
| stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file 
| `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`

Windows DLL Search Order Hijacking Hunt

Description

The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed. This hunting analytic identifies known libraries in Windows that may be used in a DLL search order hijack or DLL Sideloading setting. This may require recompiling the DLL, moving the DLL or moving the vulnerable process. The query looks for any running out of system32 or syswow64. Some libraries natively run out of other application paths and will need to be added to the exclusion as needed. The lookup is comprised of Microsoft native libraries identified within the Hijacklibs.net project.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*"))  by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process_path 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `drop_dm_object_name(Processes)` 
| lookup hijacklibs library AS process_name OUTPUT islibrary 
| search islibrary = True 
| rename parent_process_name as process_name , process_name AS ImageLoaded, process_path AS Module_Path 
| `windows_dll_search_order_hijacking_hunt_filter`