LoFP / this analytic may flag instances where dlls are loaded by user mode programs for entirely legitimate and benign purposes. it is important for users to be aware that false positives are not only possible but likely, and that careful tuning of this analytic is necessary to distinguish between malicious activity and normal, everyday operations of applications. this may involve adjusting thresholds, whitelisting known good software, or incorporating additional context from other security tools and logs to reduce the rate of false positives.

Techniques

• T1574
• T1574.001
• T1574.002

Sample rules

Windows Known Abused DLL Created

• source: splunk
• technicques:
  • T1574.001
  • T1574.002
  • T1574

Description

This analytic is designed to identify instances where Dynamic Link Libraries (DLLs) with a known history of being exploited are created in locations that are not typical for their use. This could indicate that an attacker is attempting to exploit the DLL search order hijacking or sideloading techniques. DLL search order hijacking involves tricking an application into loading a malicious DLL instead of the legitimate one it was intending to load. This is often achieved by placing the malicious DLL in a directory that is searched before the directory containing the legitimate DLL. Sideloading, similarly, involves placing a malicious DLL with the same name as a legitimate DLL that an application is known to load, in a location that the application will search before finding the legitimate version. Both of these techniques can be used by attackers to execute arbitrary code, maintain persistence on a system, and potentially elevate their privileges, all while appearing as legitimate operations to the untrained eye. This analytic aims to shed light on such suspicious activities by monitoring for the creation of known abused DLLs in unconventional locations, thereby helping in the early detection of these stealthy attack techniques.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name!="unknown" Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest Processes.user Processes.process_guid Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name 
| `drop_dm_object_name(Processes)` 
| join max=0 process_guid dest [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\users\\*","*\\Windows\Temp\\*","*\\programdata\\*") Filesystem.file_name="*.dll" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid 
| `drop_dm_object_name(Filesystem)` 
| lookup hijacklibs_loaded library AS file_name OUTPUT islibrary, ttp, comment as desc 
| lookup hijacklibs_loaded library AS file_name excludes as file_path OUTPUT islibrary as excluded 
| search islibrary = TRUE AND excluded != TRUE 
| stats latest(*) as * by dest process_guid ] 
| where isnotnull(file_name) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
|  `windows_known_abused_dll_created_filter`