-
Notifications
You must be signed in to change notification settings - Fork 509
/
defense_evasion_dll_hijack.toml
106 lines (97 loc) · 4.84 KB
/
defense_evasion_dll_hijack.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
[metadata]
creation_date = "2023/07/12"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the
application folder and invoke the legitimate application to execute the payload, masking actions they perform under a
legitimate, trusted, and potentially elevated system or software process.
"""
from = "now-119m"
index = ["logs-endpoint.events.library-*"]
interval = "60m"
language = "eql"
license = "Elastic License v2"
name = "Unsigned DLL Loaded by a Trusted Process"
risk_score = 21
rule_id = "c20cd758-07b1-46a1-b03f-fa66158258b8"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Rule Type: BBR",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
library where host.os.type == "windows" and
(dll.Ext.relative_file_creation_time <= 500 or
dll.Ext.relative_file_name_modify_time <= 500 or
dll.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk")) and dll.hash.sha256 != null and
process.code_signature.status :"trusted" and not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
/* DLL loaded from the process.executable current directory */
endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
and not user.id : "S-1-5-18" and
not dll.hash.sha256 : (
"19588e6a318894abe8094374bee233e666f319de909c69f12a6047b14473e299",
"6e8bee250c8cc1b65150522f33794759f5c65f58fff17c5cbf6422ad68b421d2",
"55de11531dc0e566cb91f26e48d1301a161a4b8b24abed42304d711412368760",
"56a5148d00c2d9e58415be2d64eca922a58063fe26d9af1c87084aa383c9058e",
"83ee0ff920144edb2c2f4ea10130f55443493290886985a63233fa2431e450f9",
"0d0d8f2eaff6b5f75e63d9721d5a0480b30e70792fe0d3a24d76fd3e61b05982",
"8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb",
"ea02a19dd824cb7d611b8821d1b9e6a076714a195d027d1ff918128a64ac5220",
"02a6d001e6dd944738e09b720e49dcb1272cb782b870e5ae319d4600bc192225",
"e7714a1d6ac3f4c4ae22564b9ca301e486f5f42691859c0a687246c47b5cf5c9",
"17f0f709fb7f6190c03b19b6198fd863b6f0d79f46ccfebac6064be747a4cb3e",
"cb7ab3788d10940df874acd97b1821bbb5ee4a91f3eec11982bb5bf7a3c96443",
"c944ee510721a1d30d42227cc3061dfdcbc144c952381afcfe4f6e82c5435ffc",
"967189adfbc889fde89aafc867f7a1f02731f8592cf6fd5a4ace1929213e2e13",
"4a824526749790603eb66777f79787128dd282162a3904a4c1135de43b14d029",
"620a7e658af05cc848091b8a639854b9b15700a9061b4a3d078523653133a4af",
"cb220267fb0116b298bab6a09a764420d630c52026f7d750f8ffca4818389327",
"0da1f856d92d6b95f10ed8c3f629cd15468c906de9352fb4ae629139d1412eed",
"e1646c7778c24407a17881908037a49ecfcb5a980d155212d544302653a3ef62",
"e102c9c5b22ceb60dc516ab4124bea8ec8e808b08eec48ea7ac674d13fca82ef",
"c7544e1f9927afdf6e8cd7063020b572e60fe8f00af39227eb831d331df38225",
"3668c6749db59a6cbc5293d0a4f904f76d6fb5048704449dd53894916f408a57",
"7705851ba047a8154402aca92621b60be0e0e9d9b52b19bf8be540305bd53dba",
"b5acf358ff97127eac9ef4c664a980b937376b5295ef23d77ee338225de10d60",
"394d2d862f2ddce71f28d9b933b21a7d6c621c80ef28652574f758f77f01f716",
"e958d03db79e9f1d2770c70a5bc24904aa3e2d27a8d5637684cf8166b38908f2",
"284701380f33a30b25e8eb9822e7f47179238e91d08bd3fb5a117145de7e0d8d",
"497471497886f18ca16f7facab7d76dc9bfadd69deb9c6e4ea9bdc0869a15628",
"739bedcfc8eb860927eb2057474be5b39518aaaa6703f9f85307a432fa1f236e",
"8f4c72e3c7de1ab5d894ec7813f65c5298ecafc183f31924b44a427433ffca42",
"1ac4753056179b358132c55ca3086d550849ae30259ba94f334826c2fbf6c57e",
"53e8fecd7d4b1b74064eba9bfa6a361d52929f440954931b4ba65615148bf0ea",
"e9088afd8871dbad5eda47a9d8abf3b08dd2e17c423ba8a05f9b6ad6751f9b7c",
"ab27eb05130db2f92499234b69ff97ee6429c7824efcb7324ae3e404e2b405bf",
"553451008520a5f0110d84192cba40208fb001c27454f946e85e6fb2e6553292"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.001"
name = "DLL Search Order Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/001/"
[[rule.threat.technique.subtechnique]]
id = "T1574.002"
name = "DLL Side-Loading"
reference = "https://attack.mitre.org/techniques/T1574/002/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"