The hypothesis is that an adversary is leveraging the JsSchHlp library from the JUSTSYSTEMS Japanese word processor to load malicious DLLs, bypassing standard code integrity controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential DLL sideloading attacks that could lead to code execution and lateral movement.
Detection Rule
title: Potential DLL Sideloading Via JsSchHlp
id: 68654bf0-4412-43d5-bfe8-5eaa393cd939
status: test
description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
references:
- https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/
- http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp
author: frack113
date: 2022-12-14
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\JSESPR.dll'
filter:
ImageLoaded|startswith: 'C:\Program Files\Common Files\Justsystem\JsSchHlp\'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\JSESPR.dll" and (not(FolderPath startswith "C:\\Program Files\\Common Files\\Justsystem\\JsSchHlp\\"))Scenario: Scheduled Job Running Word Processor for Report Generation
Description: A legitimate scheduled job uses the Japanese word processor to generate reports from templates.
Filter/Exclusion: process.name != "jschhlp.exe" or process.parent.name != "schtasks.exe"
Scenario: Admin Task to Update Word Processor Plugin
Description: An administrator is updating a plugin for the Japanese word processor via a script or command line.
Filter/Exclusion: process.name != "jschhlp.exe" or user.name != "Administrator"
Scenario: User Launching Word Processor via Shortcut for Document Editing
Description: A user opens the Japanese word processor via a desktop shortcut to edit a document.
Filter/Exclusion: process.name != "jschhlp.exe" or process.parent.name != "explorer.exe"
Scenario: System Maintenance Task Using Word Processor for Data Conversion
Description: A system maintenance task uses the Japanese word processor to convert document formats during a backup process.
Filter/Exclusion: process.name != "jschhlp.exe" or process.parent.name != "taskeng.exe"
Scenario: Legitimate DLL Load via Word Processor for Compatibility
Description: A legitimate DLL is loaded by the Japanese word processor to maintain compatibility with older applications.
Filter/Exclusion: process.name != "jschhlp.exe" or dll.name != "legitimate_dll.dll"