Adversaries may be using Edputil.DLL to sideload malicious code into legitimate processes, bypassing standard security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential DLL sideloading attacks that could lead to persistent, stealthy malware execution.
Detection Rule
title: Potential Edputil.DLL Sideloading
id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2
status: test
description: Detects potential DLL sideloading of "edputil.dll"
references:
- https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\edputil.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
DeviceImageLoadEvents
| where FolderPath endswith "\\edputil.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C\\Windows\\WinSxS\\")))Scenario: System Update or Patching via Windows Update
Description: A legitimate system update may involve the use of edputil.dll during the installation of Windows updates or patches.
Filter/Exclusion: Check for the presence of msiexec.exe or wuauclt.exe in the process tree, or filter by the update log file paths (e.g., C:\Windows\WindowsUpdate.log).
Scenario: Scheduled Job Using edputil.dll for Configuration Management
Description: A scheduled task may use edputil.dll as part of a configuration management tool (e.g., Microsoft System Center Configuration Manager) to apply settings or deploy software.
Filter/Exclusion: Filter by the task name or path, such as C:\Windows\System32\config\regedit.exe or check for known configuration management tool paths.
Scenario: Administrative Tool Using edputil.dll for Network Configuration
Description: Tools like netsh or ipconfig may indirectly use edputil.dll during network configuration tasks, especially when interacting with system services.
Filter/Exclusion: Filter by the command line arguments or process name, such as netsh.exe or ipconfig.exe, and check for known network configuration paths.
Scenario: Antivirus or Security Software Integration
Description: Some security software may use edputil.dll as part of their integration with Windows system services or for policy enforcement.
Filter/Exclusion: Filter by the process name of the security software (e.g., mcafee.exe, bitdefender.exe, or avgnt.exe) or check for known security software directories.
Scenario: Custom Script or Tool for System Monitoring
Description: A custom script or internal tool may use `edputil