Potential DLL SideLoading via Trusted Microsoft Programsedit

Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Rule queryedit

event.category:process and event.type:(start or process_started) and
(process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or
w3wp.exe or DISM.EXE) or
winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or
w3wp.exe or DISM.EXE)) and not (process.name:(winword.exe or
WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or
process.executable:("C:\Windows\explorer.exe" or
C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or C\
:\\Program?Files?\(x86\)\\Microsoft?Office\\root\\Office*\\WINWORD.EXE
or "C:\Windows\System32\Dism.exe" or "C:\Windows\SysWOW64\Dism.exe" or
"C:\Windows\System32\inetsrv\w3wp.exe"))

Threat mappingedit

Framework: MITRE ATT&CKTM