Skip to content

[Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs #4449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tyler-mcadam opened this issue Feb 5, 2025 · 3 comments
Open

[Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs #4449

tyler-mcadam opened this issue Feb 5, 2025 · 3 comments
Assignees
@Samirbous
Labels
community Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Comments

@tyler-mcadam
Copy link

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Rule Tuning Type

False Negatives - Enhancing detection of true threats that were previously missed.

Description

I thought this should have triggered when I moved explorer.exe to my home dir. After examining the query, it looks like a different path AND file name are required to trigger. The description makes it sound like either the name or path changing should be enough to trigger. I think the 'or' was supposed to be 'and'.

Description:
Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.

Current query:

process where host.os.type == "windows" and event.type == "start" and
process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and
not (process.name : ("winword.exe", "explorer.exe", "w3wp.exe", "Dism.exe") or
process.executable : ("?:\Windows\explorer.exe",
"?:\Program Files\Microsoft Office\root\Office*\WINWORD.EXE",
"?:\Program Files?(x86)\Microsoft Office\root\Office*\WINWORD.EXE",
"?:\Windows\System32\Dism.exe",
"?:\Windows\SysWOW64\Dism.exe",
"?:\Windows\System32\inetsrv\w3wp.exe")
)

https://unit42.paloaltonetworks.com/dll-hijacking-techniques/

Example Data

Not sure what is needed here, let me know if this isn't enough.
Image
@tyler-mcadam tyler-mcadam added Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Feb 5, 2025
@tyler-mcadam tyler-mcadam changed the title [Rule Tuning] Name of rule [Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs Feb 7, 2025
@Samirbous Samirbous mentioned this issue Mar 12, 2025
Merged
@Samirbous
Copy link
Contributor

@tyler-mcadam thank you for reporting this issue, indeed the not condition not (process.name : ("winword.exe", "explorer.exe", "w3wp.exe", "Dism.exe") will cause to miss if the binary is just moved to a different path. This PR should fix it.

@tyler-mcadam
Copy link
Author

Oh that's even simpler than I thought. I like this solution a lot. Thanks! Am I supposed to close the issue or do you do it after merging?

@Samirbous
Copy link
Contributor

Am I supposed to close the issue or do you do it after merging?

@tyler-mcadam once merged we will close it.

@Samirbous Samirbous self-assigned this Mar 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Samirbous Samirbous

Labels
community Rule: Tuning tweaking or tuning an existing rule Team: TRADE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Samirbous @tyler-mcadam