Adversaries may use comctl32.dll for DLL sideloading to escalate privileges and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential privilege escalation attacks.
Detection Rule
title: Potential DLL Sideloading Via comctl32.dll
id: 6360757a-d460-456c-8b13-74cf0e60cceb
status: test
description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
references:
- https://github.com/binderlabs/DirCreate2System
- https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
date: 2022-12-16
modified: 2022-12-19
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|startswith:
- 'C:\Windows\System32\logonUI.exe.local\'
- 'C:\Windows\System32\werFault.exe.local\'
- 'C:\Windows\System32\consent.exe.local\'
- 'C:\Windows\System32\narrator.exe.local\'
- 'C:\windows\system32\wermgr.exe.local\'
ImageLoaded|endswith: '\comctl32.dll'
condition: selection
falsepositives:
- Unlikely
level: high
DeviceImageLoadEvents
| where (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local\\" or FolderPath startswith "C:\\windows\\system32\\wermgr.exe.local\\") and FolderPath endswith "\\comctl32.dll"Scenario: System update or patching process using Microsoft’s msiexec.exe to install updates that include comctl32.dll
Filter/Exclusion: Check the process parent or command line for msiexec.exe with update-related arguments (e.g., /package or /update)
Scenario: Scheduled task running a legitimate script or application that dynamically loads comctl32.dll via LoadLibrary
Filter/Exclusion: Exclude processes associated with known scheduled tasks (e.g., schtasks.exe or Task Scheduler service) or check for presence of a valid script path in the command line
Scenario: Administrative task such as using regsvr32.exe to register a COM DLL that references comctl32.dll
Filter/Exclusion: Filter processes where the parent is explorer.exe or cmd.exe and the command line includes regsvr32.exe with a valid DLL path
Scenario: Use of a legitimate tool like Process Monitor or Procmon.exe that loads comctl32.dll during operation
Filter/Exclusion: Exclude processes with Procmon.exe or Process Monitor in the process name, or check for known monitoring tool signatures
Scenario: Enterprise application deployment using msiexec.exe or setup.exe that includes comctl32.dll as part of a legitimate installation package
Filter/Exclusion: Exclude processes with known enterprise deployment tools (e.g., msiexec.exe, setup.exe, or InstallShield) and verify the source of the DLL is trusted and part of the deployment package