Techniques
Sample rules
Windows Known Abused DLL Created
- source: splunk
- technicques:
- T1574.001
- T1574.002
Description
The following analytic identifies the creation of Dynamic Link Libraries (DLLs) with a known history of exploitation in atypical locations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and filesystem events. This activity is significant as it may indicate DLL search order hijacking or sideloading, techniques used by attackers to execute arbitrary code, maintain persistence, or escalate privileges. If confirmed malicious, this activity could allow attackers to blend in with legitimate operations, posing a severe threat to system integrity and security.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\users\\*","*\\Windows\Temp\\*","*\\programdata\\*") Filesystem.file_name="*.dll" by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| lookup hijacklibs_loaded library AS file_name OUTPUT islibrary, ttp, comment as desc
| lookup hijacklibs_loaded library AS file_name excludes as file_path OUTPUT islibrary as excluded
| search islibrary = TRUE AND excluded != TRUE
| where isnotnull(file_name)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_known_abused_dll_created_filter`