The hypothesis is that an adversary is attempting to sideload a malicious version of Libcurl.DLL via GUP.EXE to execute arbitrary code with elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential DLL sideloading attacks that could compromise system integrity and escalate privileges.
Detection Rule
title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e
status: test
description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
ImageLoaded|endswith: '\libcurl.dll'
filter_main_notepad_plusplus:
Image|endswith: '\Notepad++\updater\GUP.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where (InitiatingProcessFolderPath endswith "\\gup.exe" and FolderPath endswith "\\libcurl.dll") and (not(InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\GUP.exe"))Scenario: Legitimate System Update via Windows Update
Description: A system update process may temporarily load libcurl.dll as part of a patch or service update.
Filter/Exclusion: Check the process tree for svchost.exe or wuauserv.exe and exclude processes with ImageFileName containing “Windows Update” or “wuau”.
Scenario: Scheduled Job Using GUP.EXE for Data Collection
Description: A scheduled job running GUP.EXE (e.g., for log collection or monitoring) might load libcurl.dll as part of its data transfer functionality.
Filter/Exclusion: Exclude processes where CommandLine contains /datacollect or /log and verify the job is managed by a known SIEM or log management tool (e.g., Splunk, ELK).
Scenario: Admin Task Using GUP.EXE for Network Monitoring
Description: An administrator may use GUP.EXE to monitor network traffic, which could involve loading libcurl.dll for HTTP-based data retrieval.
Filter/Exclusion: Exclude processes initiated by taskmgr.exe or cmd.exe with a known admin task name (e.g., “Network Monitor Tool”) and verify the process is part of a documented monitoring tool.
Scenario: Third-Party Tool Integration with GUP.EXE
Description: A third-party application (e.g., a security tool or configuration manager) may use GUP.EXE to communicate with a remote server, potentially loading libcurl.dll.
Filter/Exclusion: Exclude processes where the parent process is a known third-party tool (e.g., ConfigMgr.exe, Symantec Endpoint Protection.exe) and verify the tool is signed by a trusted vendor.
**Scenario: Malicious DLL Load via G