Suspicious DLL Loaded for Persistence or Privilege Escalationedit
Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
- https://itm4n.github.io/windows-dll-hijacking-clarified/
- http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
- https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
- https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html
- https://windows-internals.com/faxing-your-way-to-system/
- http://waleedassar.blogspot.com/2013/01/wow64logdll.html
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
- Privilege Escalation
Version: 6
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guideedit
Rule queryedit
any where
(event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
(
/* compatible with Elastic Endpoint Library Events */
(dll.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
"wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
"cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll")
and (dll.code_signature.trusted == false or dll.code_signature.exists == false)) or
/* compatible with Sysmon EventID 7 - Image Load */
(file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
"wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
"cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll")
and not file.code_signature.status == "Valid")
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Hijack Execution Flow
- ID: T1574
- Reference URL: https://attack.mitre.org/techniques/T1574/
-
Sub-technique:
- Name: DLL Side-Loading
- ID: T1574.002
- Reference URL: https://attack.mitre.org/techniques/T1574/002/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Hijack Execution Flow
- ID: T1574
- Reference URL: https://attack.mitre.org/techniques/T1574/
-
Sub-technique:
- Name: DLL Search Order Hijacking
- ID: T1574.001
- Reference URL: https://attack.mitre.org/techniques/T1574/001/