Potential Initial Access via DLL Search Order Hijacking

Hunt Hypothesis

Adversaries may leverage DLL search order hijacking by placing malicious DLLs in directories of trusted applications to load them during execution, bypassing standard security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential initial access vectors that evade traditional detection mechanisms.

Detection Rule

Sigma (Original)

title: Potential Initial Access via DLL Search Order Hijacking
id: dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
status: test
description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc
    - https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-21
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1566
    - attack.t1566.001
    - attack.initial-access
    - attack.t1574
    - attack.t1574.001
    - attack.defense-evasion
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # add more processes when you find them
            - '\winword.exe'
            - '\excel.exe'
            - '\powerpnt.exe'
            - '\MSACCESS.EXE'
            - '\MSPUB.EXE'
            - '\fltldr.exe'
            - '\cmd.exe'
            - '\certutil.exe'
            - '\mshta.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\curl.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|endswith: '.dll'
        TargetFilename|contains|all:
            - '\Users\'
            - '\AppData\'
        TargetFilename|contains:
            # add more suspicious paths when you find them
            - '\Microsoft\OneDrive\'
            - '\Microsoft OneDrive\'
            - '\Microsoft\Teams\'
            - '\Local\slack\app-'
            - '\Local\Programs\Microsoft VS Code\'
    filter:
        Image|endswith: '\cmd.exe'
        TargetFilename|contains|all:
            - '\Users\'
            - '\AppData\'
            - '\Microsoft\OneDrive\'
            - '\api-ms-win-core-'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imFileEvent
| where ((TargetFilePath endswith "\\winword.exe" or TargetFilePath endswith "\\excel.exe" or TargetFilePath endswith "\\powerpnt.exe" or TargetFilePath endswith "\\MSACCESS.EXE" or TargetFilePath endswith "\\MSPUB.EXE" or TargetFilePath endswith "\\fltldr.exe" or TargetFilePath endswith "\\cmd.exe" or TargetFilePath endswith "\\certutil.exe" or TargetFilePath endswith "\\mshta.exe" or TargetFilePath endswith "\\cscript.exe" or TargetFilePath endswith "\\wscript.exe" or TargetFilePath endswith "\\curl.exe" or TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\pwsh.exe") and TargetFileName endswith ".dll" and (TargetFileName contains "\\Users\\" and TargetFileName contains "\\AppData\\") and (TargetFileName contains "\\Microsoft\\OneDrive\\" or TargetFileName contains "\\Microsoft OneDrive\\" or TargetFileName contains "\\Microsoft\\Teams\\" or TargetFileName contains "\\Local\\slack\\app-" or TargetFileName contains "\\Local\\Programs\\Microsoft VS Code\\")) and (not((TargetFilePath endswith "\\cmd.exe" and (TargetFileName contains "\\Users\\" and TargetFileName contains "\\AppData\\" and TargetFileName contains "\\Microsoft\\OneDrive\\" and TargetFileName contains "\\api-ms-win-core-"))))

False Positive Guidance

• Scenario: Legitimate DLL update via scheduled job
  Description: A system administrator schedules a job to update a legitimate DLL for a known application (e.g., Microsoft Teams) using a script or tool like schtasks.exe.
  Filter/Exclusion: Check for the presence of a known legitimate update tool or script, or filter by process name such as schtasks.exe or msiexec.exe.

• Scenario: DLL file creation during software installation
  Description: A legitimate software installation package (e.g., Microsoft OneDrive) creates a DLL file in its own directory as part of the installation process.
  Filter/Exclusion: Filter by the process name of the installer (e.g., msiexec.exe or setup.exe) or check the file path against known installation directories.

• Scenario: Admin task to load a DLL for compatibility
  Description: An administrator uses a tool like Process Monitor or Procmon.exe to manually load a DLL for compatibility testing or debugging purposes.
  Filter/Exclusion: Filter by process name such as procmon.exe or ProcessMonitor.exe, or check for the presence of a known admin tool in the command line.

• Scenario: DLL file creation for a legitimate application dependency
  Description: A developer or sysadmin manually places a DLL (e.g., slack.dll) in the application’s dependency folder (e.g., C:\Program Files\Slack) as part of a custom build or configuration.
  Filter/Exclusion: Filter by the application name (e.g., Slack.exe) or check the file path against known application directories.

• Scenario: DLL file creation during a system update
  Description: A system update or patch (e.g., via Windows Update or Microsoft Endpoint Manager) creates a DLL in a known application directory

MITRE ATT&CK Context

• Tactic: Privilege Escalation
• Tactic: Persistence
• Tactic: Initial Access
• Tactic: Defense Evasion
• Technique: T1566
• Technique: T1566.001
• Technique: T1574
• Technique: T1574.001