IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Potential Credential Access via Windows Utilities Potential DNS Tunneling via Iodine »

› › ›

Potential DLL SideLoading via Trusted Microsoft Programs

edit

Potential DLL SideLoading via Trusted Microsoft Programs

edit

Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.

Rule type: query

Rule indices:

winlogbeat-*
logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Defense Evasion

Version: 3 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.11.2

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit

event.category:process and event.type:(start or process_started) and
process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe
or DISM.EXE) and not (process.name:(winword.exe or WINWORD.EXE or
explorer.exe or w3wp.exe or Dism.exe) or
process.executable:("C:\Windows\explorer.exe" or
C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or C\
:\\Program?Files?\(x86\)\\Microsoft?Office\\root\\Office*\\WINWORD.EXE
or "C:\Windows\System32\Dism.exe" or "C:\Windows\SysWOW64\Dism.exe" or
"C:\Windows\System32\inetsrv\w3wp.exe"))

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Masquerading
- ID: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/

Rule version history

edit

Version 3 (7.11.2 release)

Formatting only

Version 2 (7.11.0 release)

Updated query, changed from:

event.category:process and event.type:(start or process_started) and
(process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or
w3wp.exe or DISM.EXE) or
winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or
w3wp.exe or DISM.EXE)) and not (process.name:(winword.exe or
WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or
process.executable:("C:\Windows\explorer.exe" or
C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or C\
:\\Program?Files?\(x86\)\\Microsoft?Office\\root\\Office*\\WINWORD.EXE
or "C:\Windows\System32\Dism.exe" or "C:\Windows\SysWOW64\Dism.exe" or
"C:\Windows\System32\inetsrv\w3wp.exe"))

« Potential Credential Access via Windows Utilities Potential DNS Tunneling via Iodine »