IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Unsigned DLL Loaded by Svchost Unsigned DLL Side-Loading from a Suspicious Folder »
Elastic Docs Elastic Security Solution [8.8] Detections and alerts Prebuilt rule reference

Unsigned DLL Loaded by a Trusted Process

edit

Unsigned DLL Loaded by a Trusted Process

edit

Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Rule Type: BBR
  • Data Source: Elastic Defend

Version: 101

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
library where host.os.type == "windows" and
   (dll.Ext.relative_file_creation_time <= 500 or
    dll.Ext.relative_file_name_modify_time <= 500 or
    dll.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk")) and dll.hash.sha256 != null and
    process.code_signature.status :"trusted" and not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
    /* DLL loaded from the process.executable current directory */
    endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
    and not user.id : "S-1-5-18"

Framework: MITRE ATT&CKTM

« Unsigned DLL Loaded by Svchost Unsigned DLL Side-Loading from a Suspicious Folder »