Adversaries may be sideloading malicious DLLs from suspicious locations to execute arbitrary code and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement and persistence tactics.
Detection Rule
title: Abusable DLL Potential Sideloading From Suspicious Location
id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a
status: test
description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
references:
- https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-07-11
tags:
- attack.execution
- attack.t1059
logsource:
category: image_load
product: windows
detection:
selection_dll:
ImageLoaded|endswith:
# Note: Add more generic DLLs that cannot be pin-pointed to a single application
- '\coreclr.dll'
- '\facesdk.dll'
- '\HPCustPartUI.dll'
- '\libcef.dll'
- '\ZIPDLL.dll'
selection_folders_1:
ImageLoaded|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
- '\Windows\Temp\'
selection_folders_2:
- ImageLoaded|contains|all:
- ':\Users\'
- '\Favorites\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Favourites\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Contacts\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Pictures\'
condition: selection_dll and 1 of selection_folders_*
falsepositives:
- Unknown
level: high
DeviceImageLoadEvents
| where (FolderPath endswith "\\coreclr.dll" or FolderPath endswith "\\facesdk.dll" or FolderPath endswith "\\HPCustPartUI.dll" or FolderPath endswith "\\libcef.dll" or FolderPath endswith "\\ZIPDLL.dll") and ((FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\Temporary Internet" or FolderPath contains "\\Windows\\Temp\\") or ((FolderPath contains ":\\Users\\" and FolderPath contains "\\Favorites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Favourites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Contacts\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Pictures\\")))Scenario: Scheduled System Maintenance Task Using a Legitimate DLL from a Non-Standard Path
Description: A scheduled task runs a legitimate system maintenance script that uses a DLL from a non-standard directory (e.g., C:\Temp\), which is common during software installation or updates.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.name == "schtasks.exe"
Scenario: Admin Task Deploying a Custom DLL for Internal Tooling
Description: An administrator deploys a custom DLL for an internal tool or application, which is placed in a non-standard directory (e.g., C:\CustomTools\) as part of a deployment process.
Filter/Exclusion: process.user == "Administrator" or process.parent_process_name == "msiexec.exe"
Scenario: Software Update Process Using a DLL from a Temporary Folder
Description: A software update or patching process temporarily places a DLL in a system temporary directory (e.g., C:\Windows\Temp\) before moving it to its final location.
Filter/Exclusion: process.name == "msiexec.exe" or process.name == "setup.exe"
Scenario: Use of a Legitimate DLL by a Security Tool for Analysis
Description: A security tool (e.g., Microsoft Defender ATP, Windows Defender, or Sysmon) uses a DLL from a non-standard location as part of its analysis or sandboxing process.
Filter/Exclusion: process.name == "MsMpEng.exe" or process.name == "svchost.exe" with process.parent_process_name == "explorer.exe"
Scenario: PowerShell Script Loading a DLL from a Local Script Directory
Description: A PowerShell script loads a DLL from a local script directory (