IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Unsigned DLL Loaded by a Trusted Process
editUnsigned DLL Loaded by a Trusted Process
editIdentifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 60m
Searches indices from: now-119m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Rule Type: BBR
- Data Source: Elastic Defend
Version: 101
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editlibrary where host.os.type == "windows" and (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500 or dll.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk")) and dll.hash.sha256 != null and process.code_signature.status :"trusted" and not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and /* DLL loaded from the process.executable current directory */ endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1))) and not user.id : "S-1-5-18"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Hijack Execution Flow
- ID: T1574
- Reference URL: https://attack.mitre.org/techniques/T1574/
-
Sub-technique:
- Name: DLL Search Order Hijacking
- ID: T1574.001
- Reference URL: https://attack.mitre.org/techniques/T1574/001/
-
Sub-technique:
- Name: DLL Side-Loading
- ID: T1574.002
- Reference URL: https://attack.mitre.org/techniques/T1574/002/