detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs

Open beninsh opened this issue 8 months ago • 2 comments

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Rule Tuning Type

None

Description

It seems that there is a typo in the query: The query includes the process executable "?:\\Windows\\SyWOW64\\explorer.exe" which should most likely be "?:\\Windows\\SysWOW64\\explorer.exe", i.e. there is an "s" missing in "SysWOW64".

The updated query would be the following:

query = '''
process where host.os.type == "windows" and event.type == "start" and
  process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and 
  not process.executable : ("?:\\Windows\\explorer.exe", 
                            "?:\\Windows\\SysWOW64\\explorer.exe",
                            "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", 
                            "?:\\Program Files?(x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", 
                            "?:\\Windows\\System32\\Dism.exe", 
                            "?:\\Windows\\SysWOW64\\Dism.exe",  
                            "?:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM\\dism.exe",
                            "?:\\Windows\\System32\\inetsrv\\w3wp.exe", 
                            "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe")
'''

Example Data

No response

beninsh avatar Apr 15 '25 07:04 beninsh

Nice catch @beninsh, do you want to submit a PR or should I do it?

w0rk3r avatar Apr 15 '25 12:04 w0rk3r

Thank you :) Feel free to create a PR @w0rk3r

beninsh avatar Apr 15 '25 13:04 beninsh