The Dynamic DLL abuse executable rule detects adversaries leveraging dynamically loaded DLLs to execute arbitrary code, potentially bypassing standard application whitelisting. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential code injection or persistence tactics that may evade traditional detection mechanisms.
YARA Rule
rule Intel_Virtualization_Wizard_exe {
meta:
author = "[email protected]"
description = "Dynamic DLL abuse executable"
file_1_seen = "2013-05-21"
file_1_sha256 = "7787757ae851f4a162f46f794be1532ab78e1928185212bdab83b3106f28c708"
strings:
$a = {4C 6F 61 64 53 54 52 49 4E 47}
$b = {49 6E 69 74 69 61 6C 69 7A 65 4B 65 79 48 6F 6F 6B}
$c = {46 69 6E 64 52 65 73 6F 75 72 63 65 73}
$d = {4C 6F 61 64 53 54 52 49 4E 47 46 72 6F 6D 48 4B 43 55}
$e = {68 63 63 75 74 69 6C 73 2E 44 4C 4C}
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task Using a Legitimate DLL
Description: A scheduled task runs a legitimate system maintenance script that dynamically loads a trusted DLL (e.g., msvcrt.dll or kernel32.dll) as part of its normal operation.
Filter/Exclusion: Check the process name and parent process. Exclude processes from Task Scheduler or schtasks.exe, and verify the DLL is a known system DLL.
Scenario: Admin Using Process Monitor to Analyze DLL Load Behavior
Description: A system administrator is using Process Monitor (ProcMon) to investigate DLL load behavior during a troubleshooting session. The tool dynamically loads various DLLs as part of its operation.
Filter/Exclusion: Exclude processes with procmon.exe or ProcMon.exe in the process name, and filter out known legitimate DLLs used by the tool.
Scenario: PowerShell Script Loading a Trusted DLL for Functionality
Description: A PowerShell script (e.g., Invoke-Command or Add-Type) is used to load a trusted DLL (e.g., System.Data.dll) to perform a legitimate function like database operations.
Filter/Exclusion: Exclude processes with powershell.exe or pwsh.exe, and filter out DLLs that are part of the .NET framework or other trusted libraries.
Scenario: Antivirus or Endpoint Protection Tool Performing DLL Injection
Description: An endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, or CrowdStrike Falcon) uses dynamic DLL injection to monitor processes or enforce security policies.
Filter/Exclusion: Exclude processes associated with known endpoint protection tools (e.g., MsMpEng.exe, falcon.exe, or mpsvc.exe).
Scenario: Custom Application Using Dynamic DLL Loading for Plugin Architecture
Description: A