Potential DLL SideLoading via Trusted Microsoft Programsedit

Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 8 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit


Rule queryedit

process where event.type == "start" and
process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE",
"w3wp.exe", "DISM.EXE") and not (process.name : ("winword.exe",
"explorer.exe", "w3wp.exe", "Dism.exe") or process.executable
: ("?:\\Windows\\explorer.exe",
"?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE",
"?:\\Program Files?(x86)\\Microsoft
Office\\root\\Office*\\WINWORD.EXE",
"?:\\Windows\\System32\\Dism.exe",
"?:\\Windows\\SysWOW64\\Dism.exe",
"?:\\Windows\\System32\\inetsrv\\w3wp.exe") )

Threat mappingedit

Framework: MITRE ATT&CKTM

Rule version historyedit

Version 8 (8.4.0 release)
  • Formatting only
Version 6 (8.2.0 release)
  • Formatting only
Version 5 (7.13.0 release)
  • Updated query, changed from:

    event.category:process and event.type:(start or process_started) and
    process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe
    or DISM.EXE) and not (process.name:(winword.exe or WINWORD.EXE or
    explorer.exe or w3wp.exe or Dism.exe) or
    process.executable:("C:\Windows\explorer.exe" or
    C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or C\
    :\\Program?Files?\(x86\)\\Microsoft?Office\\root\\Office*\\WINWORD.EXE
    or "C:\Windows\System32\Dism.exe" or "C:\Windows\SysWOW64\Dism.exe" or
    "C:\Windows\System32\inetsrv\w3wp.exe"))
Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.category:process and event.type:(start or process_started) and
    (process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or
    w3wp.exe or DISM.EXE) or
    winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or
    w3wp.exe or DISM.EXE)) and not (process.name:(winword.exe or
    WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or
    process.executable:("C:\Windows\explorer.exe" or
    C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or C\
    :\\Program?Files?\(x86\)\\Microsoft?Office\\root\\Office*\\WINWORD.EXE
    or "C:\Windows\System32\Dism.exe" or "C:\Windows\SysWOW64\Dism.exe" or
    "C:\Windows\System32\inetsrv\w3wp.exe"))