Techniques
Sample rules
MSI Module Loaded by Non-System Binary
- source: splunk
- technicques:
- T1574.002
- T1574
Description
The following hunting analytic identifies msi.dll being loaded by a binary not located in system32, syswow64, winsxs or windows paths. This behavior is most recently related to InstallerFileTakeOver, or CVE-2021-41379, and DLL side-loading. CVE-2021-41379 requires a binary to be dropped and msi.dll to be loaded by it. To Successful exploitation of this issue happens in four parts
- Generation of an MSI that will trigger bad behavior.
- Preparing a directory for MSI installation.
- Inducing an error state.
- Racing to introduce a junction and a symlink to trick msiexec.exe to modify the attacker specified file.
In addition,
msi.dllhas been abused in DLL side-loading attacks by being loaded by non-system binaries.
Detection logic
`sysmon` EventCode=7 ImageLoaded="*\\msi.dll" NOT (Image IN ("*\\System32\\*","*\\syswow64\\*","*\\windows\\*", "*\\winsxs\\*"))
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode ProcessId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `msi_module_loaded_by_non_system_binary_filter`