The Elex DLL 64 bits detection rule identifies potential adversary use of a malicious DLL file in a 64-bit environment, which may indicate lateral movement or persistence. SOC teams should proactively hunt for this behavior to detect and mitigate advanced threats that leverage DLL side-loading techniques in Azure Sentinel.
YARA Rule
rule Trj_Elex_Dll64
{
meta:
author = "Centro Criptológico Nacional (CCN)"
description = "Elex DLL 64 bits"
ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
strings:
$mz = { 4d 5a }
$str1 = {59 00 72 00 72 00 65 00 68 00 73 00}
$str2 = "RookIE/1.0"
condition:
(pe.machine == pe.MACHINE_AMD64) and (pe.characteristics & pe.DLL) and ($mz at 0) and ($str1) and ($str2)
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is using Process Monitor (Sysinternals) to debug a 64-bit DLL issue.
Filter/Exclusion: Check for ProcessName containing procmon.exe or ProcessMonitor.exe.
Scenario: A Windows Update task is running, which may load various DLLs, including 64-bit ones as part of the update process.
Filter/Exclusion: Filter by ProcessName containing wuauclt.exe or check for EventID related to Windows Update.
Scenario: A scheduled backup job using Veeam Backup & Replication is executing, which may load 64-bit DLLs during data processing.
Filter/Exclusion: Use ProcessName containing veeam.exe or check for ProcessCommandLine with Veeam-related arguments.
Scenario: A third-party application like SQL Server Agent is running a job that utilizes 64-bit DLLs for database operations.
Filter/Exclusion: Filter by ProcessName containing sqlagent.exe or check for ProcessCommandLine with SQL Server-related parameters.
Scenario: A system diagnostic tool such as Windows Performance Analyzer (WPA) is running, which may load 64-bit DLLs for performance monitoring.
Filter/Exclusion: Check for ProcessName containing wpa.exe or perfmon.exe.