The hypothesis is that an adversary is attempting to sideload a malicious Chrome Frame Helper DLL to execute arbitrary code under the guise of a legitimate browser component. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential DLL sideloading attacks that could compromise system integrity and escalate privileges.
Detection Rule
title: Potential Chrome Frame Helper DLL Sideloading
id: 72ca7c75-bf85-45cd-aca7-255d360e423c
status: test
description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
references:
- https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-05-15
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\chrome_frame_helper.dll'
filter_main_path:
ImageLoaded|startswith:
- 'C:\Program Files\Google\Chrome\Application\'
- 'C:\Program Files (x86)\Google\Chrome\Application\'
filter_optional_user_path:
ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\chrome_frame_helper.dll" and (not((FolderPath startswith "C:\\Program Files\\Google\\Chrome\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\Chrome\\Application\\"))) and (not(FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\"))Scenario: System Update or Patch Installation
Description: A legitimate system update or patch may include the deployment of the Chrome Frame Helper DLL as part of a Windows update or Microsoft patch.
Filter/Exclusion: Check the EventID or Source field for Microsoft Update or Windows Update services. Exclude events where the source is Microsoft Update or Windows Update.
Scenario: Scheduled Job Deployment of Chrome Frame
Description: An enterprise may use a scheduled job to deploy or update Chrome Frame as part of a browser compatibility strategy.
Filter/Exclusion: Filter by the ProcessName field to exclude processes associated with scheduled tasks (e.g., schtasks.exe or Task Scheduler). Include a filter for known enterprise deployment tools like Group Policy or Microsoft Endpoint Configuration Manager.
Scenario: Admin Task to Configure Browser Settings
Description: An administrator might manually configure browser settings or install Chrome Frame as part of a browser compatibility policy.
Filter/Exclusion: Filter by the User field to exclude administrative accounts (e.g., Administrator or Domain Admins). Also, check the ProcessName for administrative tools like gpedit.msc or regedit.exe.
Scenario: Third-Party Application Dependency
Description: Some third-party applications or enterprise software may depend on the Chrome Frame Helper DLL for compatibility with older web technologies.
Filter/Exclusion: Check the ProcessName field for known third-party applications (e.g., Adobe Reader, Microsoft Office, or Citrix). Exclude events where the process is associated with such applications.
Scenario: Malware Analysis or Sandbox Environment
Description: In a malware analysis or sandbox environment, the Chrome Frame Helper DLL might be loaded as part of testing or analysis of a malicious payload.
*