Dynamic DLL (Malicious)

Hunt Hypothesis

The detection identifies the loading of dynamic DLLs, which may indicate adversarial attempts to execute malicious code through in-memory execution or evasion techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise or persistence mechanisms that evade traditional signature-based detection.

YARA Rule

rule Intel_Virtualization_Wizard_dll {
  meta:
    author = "[email protected]"
    description = "Dynamic DLL (Malicious)"

    file_1_seen = "2013-05-21"
    file_1_sha256 = "485ae043b6a5758789f1d33766a26d8b45b9fde09cde0512aa32d4bd1ee04f28"

  strings:
    $a = {48 3A 5C 46 61 73 74 5C 50 6C 75 67 28 68 6B 63 6D 64 29 5C}
    $b = {64 6C 6C 5C 52 65 6C 65 61 73 65 5C 48 69 6A 61 63 6B 44 6C 6C 2E 70 64 62}

  condition:
    ($a and $b) and Intel_Virtualization_Wizard_exe
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Process Monitor to debug a legitimate application that dynamically loads DLLs.
  Filter/Exclusion: Exclude processes associated with procmon.exe or ProcessMonitor.exe.

• Scenario: A scheduled job runs PowerShell scripts that use Add-Type to dynamically load DLLs for automation purposes.
  Filter/Exclusion: Exclude processes with powershell.exe where the command line includes -Command or -File with known automation scripts.

• Scenario: A Windows Update or Group Policy client service dynamically loads DLLs as part of its normal operation.
  Filter/Exclusion: Exclude processes with wuauclt.exe, gupdate.exe, or gpsvc.exe.

• Scenario: A developer is using Visual Studio to debug an application that dynamically loads DLLs during runtime.
  Filter/Exclusion: Exclude processes with devenv.exe or VisualStudio.exe running in debug mode.

• Scenario: A Windows Service or Task Scheduler job is configured to load a DLL for custom functionality, such as logging or data processing.
  Filter/Exclusion: Exclude processes associated with known service names (e.g., MyService.exe) or tasks with specific scheduled names.