Techniques
Sample rules
Windows Unsigned DLL Side-Loading
- source: splunk
- technicques:
- T1574.002
Description
The following analytic detects the creation of potentially malicious unsigned DLLs in the c:\windows\system32 or c:\windows\syswow64 folders. It leverages Sysmon EventCode 7 logs to identify unsigned DLLs with unavailable signatures loaded in these critical directories. This activity is significant as it may indicate a DLL hijacking attempt, a technique used by attackers to gain unauthorized access and execute malicious code. If confirmed malicious, this could lead to privilege escalation, allowing the attacker to gain elevated privileges and further compromise the target system.
Detection logic
`sysmon` EventCode=7 Signed=false OriginalFileName = "-" SignatureStatus="unavailable" ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*")
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name dest EventCode ProcessId Hashes IMPHASH
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_unsigned_dll_side_loading_filter`