The hypothesis is that an adversary is attempting to sideload a malicious DLL into a legitimate process through the Aruba Networks Virtual Intranet Access service, leveraging T1574.001 to execute arbitrary code with elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement and persistence tactics early in the attack lifecycle.
Detection Rule
title: Aruba Network Service Potential DLL Sideloading
id: 90ae0469-0cee-4509-b67f-e5efcef040f7
status: test
description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
references:
- https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-03-15
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.persistence
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\arubanetsvc.exe'
ImageLoaded|endswith:
- '\wtsapi32.dll'
- '\msvcr100.dll'
- '\msvcp100.dll'
- '\dbghelp.dll'
- '\dbgcore.dll'
- '\wininet.dll'
- '\iphlpapi.dll'
- '\version.dll'
- '\cryptsp.dll'
- '\cryptbase.dll'
- '\wldp.dll'
- '\profapi.dll'
- '\sspicli.dll'
- '\winsta.dll'
- '\dpapi.dll'
filter:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
DeviceImageLoadEvents
| where (InitiatingProcessFolderPath endswith "\\arubanetsvc.exe" and (FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\msvcr100.dll" or FolderPath endswith "\\msvcp100.dll" or FolderPath endswith "\\dbghelp.dll" or FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\dpapi.dll")) and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that dynamically loads a DLL as part of routine system maintenance.
Filter/Exclusion: process.name == "schtasks.exe" or process.parent.name == "TaskScheduler"
Scenario: Admin-Initiated DLL Replacement for Patching
Description: An administrator manually replaces a DLL in the system path as part of a patching or update process.
Filter/Exclusion: process.name == "cmd.exe" AND user.name == "Administrator" or process.parent.name == "explorer.exe"
Scenario: Aruba Network Service Configuration Update
Description: A system administrator updates the Aruba Network Service configuration, which may involve loading a new DLL as part of the service update.
Filter/Exclusion: process.name == "arubaconfig.exe" or process.parent.name == "services.exe"
Scenario: PowerShell Script for Network Configuration
Description: A PowerShell script is used to configure network settings, which may load a DLL dynamically during execution.
Filter/Exclusion: process.name == "powershell.exe" AND script.file == "network_config.ps1"
Scenario: Third-Party Tool Integration with Aruba Service
Description: A third-party tool (e.g., Wireshark, NetMon) is integrated with the Aruba Network Service, which may involve dynamic DLL loading.
Filter/Exclusion: process.name == "wireshark.exe" or process.name == "netmon.exe"