Potential Initial Access via DLL Search Order Hijacking
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "File Created or Modified" AND (PROCESSNAME endswith "\winword.exe,\excel.exe,\powerpnt.exe,\MSACCESS.EXE,\MSPUB.EXE,\fltldr.exe,\cmd.exe,\certutil.exe,\mshta.exe,\cscript.exe,\wscript.exe,\curl.exe,\powershell.exe,\pwsh.exe" AND (FILENAME endswith ".dll" OR OBJECTNAME endswith ".dll") AND ((FILENAME contains "\Users" AND FILENAME contains "\AppData") OR (OBJECTNAME contains "\Users" AND OBJECTNAME contains "\AppData")) AND (FILENAME contains "\Microsoft\OneDrive\,\Microsoft OneDrive\,\Microsoft\Teams\,\Local\slack\app-,\Local\Programs\Microsoft VS Code" OR OBJECTNAME contains "\Microsoft\OneDrive\,\Microsoft OneDrive\,\Microsoft\Teams\,\Local\slack\app-,\Local\Programs\Microsoft VS Code")) AND (PROCESSNAME notendswith "\cmd.exe" OR ((FILENAME notcontains "\Users" OR FILENAME notcontains "\AppData" OR FILENAME notcontains "\Microsoft\OneDrive" OR FILENAME notcontains "\api-ms-win-core-") AND (OBJECTNAME notcontains "\Users" OR OBJECTNAME notcontains "\AppData" OR OBJECTNAME notcontains "\Microsoft\OneDrive" OR OBJECTNAME notcontains "\api-ms-win-core-"))) select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.FILENAME,Action1.PROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Tim Rauch (rule), Elastic (idea)
