Adversaries may be using DLL sideloading to inject malicious code into legitimate processes by replacing or loading DbgModel.DLL, a common target for persistence and execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement and persistence tactics early.
Detection Rule
title: Potential DLL Sideloading Of DbgModel.DLL
id: fef394cd-f44d-4040-9b18-95d92fe278c0
status: test
description: Detects potential DLL sideloading of "DbgModel.dll"
references:
- https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html
author: Gary Lobermier
date: 2024-07-11
modified: 2024-07-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith: '\dbgmodel.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
filter_optional_windbg:
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.WinDbg_'
filter_optional_windows_kits:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Windows Kits\'
- 'C:\Program Files\Windows Kits\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\dbgmodel.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not((FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.WinDbg_" or (FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\"))))Scenario: Debugging with Visual Studio
Description: A developer is using Visual Studio to debug an application, which may load DbgModel.DLL as part of the debugging process.
Filter/Exclusion: Check for the presence of VisualStudio.exe or devenv.exe in the process tree, or filter by user account (e.g., developers group).
Scenario: Scheduled Job for Log Analysis
Description: A scheduled task runs a log analysis tool that uses DbgModel.DLL for parsing or debugging purposes.
Filter/Exclusion: Filter by task name (e.g., LogAnalysisJob) or check for the presence of log analysis tools like ELK Stack, Splunk, or LogParser.
Scenario: System Update or Patching
Description: A system update or patching tool (e.g., Windows Update, SCCM, or Chocolatey) may temporarily load DbgModel.DLL during execution.
Filter/Exclusion: Filter by process names like wusa.exe, setup.exe, or choco.exe, or check for known update tools.
Scenario: Administrative Tool Usage
Description: An admin uses a tool like Process Explorer or ProcMon to inspect processes, which may load DbgModel.DLL for debugging or monitoring.
Filter/Exclusion: Filter by process names such as procexp.exe or procmon.exe, or check for known administrative tools.
Scenario: Third-Party Application Dependency
Description: A legitimate third-party application (e.g., Wireshark, Fiddler, or Process Hacker) may include DbgModel.DLL as part of its runtime dependencies.
Filter/Exclusion: Filter by application name or check