LoFP / legitimate software updates or remote imaging tools may load images from shared folders. filter these detections for approved applications to reduce false positives.

Techniques

• T1059
• T1068
• T1129
• T1203

Sample rules

Windows Remote Image Load

• source: splunk
• technicques:
  • T1129
  • T1059
  • T1068
  • T1203

Description

The following analytic detects image load events where a process loads a file from a remote share path. This activity is significant because remote DLL or image loading can be abused for execution, defense evasion, or lateral movement while leaving the payload hosted on another system. If confirmed malicious, an attacker may be loading code into a local process from attacker-controlled infrastructure.

Detection logic

`sysmon`
EventID=7
ImageLoaded="\\\\*"

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer ImageLoaded EventID dest loaded_file loaded_file_path process_exec
     process_guid process_hash process_id process_name process_path
     service_dll_signature_exists service_dll_signature_verified signature_id user_id
     vendor_product


| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_remote_image_load_filter`