detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs

Open tyler-mcadam opened this issue 11 months ago • 3 comments

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Rule Tuning Type

False Negatives - Enhancing detection of true threats that were previously missed.

Description

I thought this should have triggered when I moved explorer.exe to my home dir. After examining the query, it looks like a different path AND file name are required to trigger. The description makes it sound like either the name or path changing should be enough to trigger. I think the 'or' was supposed to be 'and'.

Description: Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.

Current query:

process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and not (process.name : ("winword.exe", "explorer.exe", "w3wp.exe", "Dism.exe") or process.executable : ("?:\Windows\explorer.exe", "?:\Program Files\Microsoft Office\root\Office*\WINWORD.EXE", "?:\Program Files?(x86)\Microsoft Office\root\Office*\WINWORD.EXE", "?:\Windows\System32\Dism.exe", "?:\Windows\SysWOW64\Dism.exe", "?:\Windows\System32\inetsrv\w3wp.exe") )

https://unit42.paloaltonetworks.com/dll-hijacking-techniques/

Example Data

Not sure what is needed here, let me know if this isn't enough. Image

tyler-mcadam avatar Feb 05 '25 19:02 tyler-mcadam

@tyler-mcadam thank you for reporting this issue, indeed the not condition not (process.name : ("winword.exe", "explorer.exe", "w3wp.exe", "Dism.exe") will cause to miss if the binary is just moved to a different path. This PR should fix it.

Samirbous avatar Mar 12 '25 14:03 Samirbous

Oh that's even simpler than I thought. I like this solution a lot. Thanks! Am I supposed to close the issue or do you do it after merging?

tyler-mcadam avatar Mar 12 '25 14:03 tyler-mcadam

Am I supposed to close the issue or do you do it after merging?

@tyler-mcadam once merged we will close it.

Samirbous avatar Mar 12 '25 14:03 Samirbous

Closing it as the PR was merged

w0rk3r avatar May 09 '25 17:05 w0rk3r