Hijack Execution Flow - DLL Side-Loading
| Id | 3084b487-fad6-4000-9544-6085b9657290 |
| Rulename | Hijack Execution Flow - DLL Side-Loading |
| Description | This detection tries to identify all DLLs loaded by “high integrity” processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process. Of course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by “NT Authoriy\System” and the “RID 500” users aren’t interesting. Also, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token elevation. If done with a full elevated token, the user is apparently admin already. |
| Severity | Medium |
| Tactics | Persistence PrivilegeEscalation DefenseEvasion |
| Techniques | T1574.002 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/DLLSideLoading.yaml |
| Version | 1.0.1 |
| Arm template | 3084b487-fad6-4000-9544-6085b9657290.json |
let imls = materialize(
DeviceImageLoadEvents
| where InitiatingProcessIntegrityLevel in ("High", "System") and FileName !endswith ".exe"
| project FolderPath=tolower(FolderPath), InitiatingProcessFileName, InitiatingProcessIntegrityLevel, DeviceId, DeviceName
| distinct FolderPath, InitiatingProcessFileName, InitiatingProcessIntegrityLevel, DeviceId, DeviceName
);
imls
| join (
DeviceFileEvents
| where FolderPath in~ ((imls | project FolderPath)) and ActionType in ("FileCreated", "FileModified") and
InitiatingProcessIntegrityLevel !in ("High", "System", "") and InitiatingProcessAccountSid != "S-1-5-18" and
InitiatingProcessTokenElevation in ("TokenElevationTypeDefault", "TokenElevationTypeLimited") and InitiatingProcessAccountSid !endswith "-500"
| extend FolderPath=tolower(FolderPath)
) on FolderPath, DeviceId, DeviceName
| project-away FolderPath1
name: Hijack Execution Flow - DLL Side-Loading
query: |
let imls = materialize(
DeviceImageLoadEvents
| where InitiatingProcessIntegrityLevel in ("High", "System") and FileName !endswith ".exe"
| project FolderPath=tolower(FolderPath), InitiatingProcessFileName, InitiatingProcessIntegrityLevel, DeviceId, DeviceName
| distinct FolderPath, InitiatingProcessFileName, InitiatingProcessIntegrityLevel, DeviceId, DeviceName
);
imls
| join (
DeviceFileEvents
| where FolderPath in~ ((imls | project FolderPath)) and ActionType in ("FileCreated", "FileModified") and
InitiatingProcessIntegrityLevel !in ("High", "System", "") and InitiatingProcessAccountSid != "S-1-5-18" and
InitiatingProcessTokenElevation in ("TokenElevationTypeDefault", "TokenElevationTypeLimited") and InitiatingProcessAccountSid !endswith "-500"
| extend FolderPath=tolower(FolderPath)
) on FolderPath, DeviceId, DeviceName
| project-away FolderPath1
description: |
This detection tries to identify all DLLs loaded by "high integrity" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process.
Of course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by "NT Authoriy\System" and the "RID 500" users aren't interesting.
Also, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token elevation. If done with a full elevated token, the user is apparently admin already.
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
requiredDataConnectors:
- dataTypes:
- DeviceFileEvents
- DeviceImageLoadEvents
connectorId: MicrosoftThreatProtection
queryPeriod: 1h
queryFrequency: 1h
status: Available
triggerThreshold: 0
id: 3084b487-fad6-4000-9544-6085b9657290
triggerOperator: gt
version: 1.0.1
relevantTechniques:
- T1574.002
severity: Medium
kind: Scheduled
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName
- entityType: Account
fieldMappings:
- identifier: Sid
columnName: InitiatingProcessAccountSid
- identifier: Name
columnName: InitiatingProcessAccountName
- identifier: NTDomain
columnName: InitiatingProcessAccountDomain
- entityType: Process
fieldMappings:
- identifier: CommandLine
columnName: InitiatingProcessCommandLine
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/DLLSideLoading.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3084b487-fad6-4000-9544-6085b9657290')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3084b487-fad6-4000-9544-6085b9657290')]",
"properties": {
"alertRuleTemplateName": "3084b487-fad6-4000-9544-6085b9657290",
"customDetails": null,
"description": "This detection tries to identify all DLLs loaded by \"high integrity\" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process.\nOf course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by \"NT Authoriy\\System\" and the \"RID 500\" users aren't interesting.\nAlso, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token elevation. If done with a full elevated token, the user is apparently admin already.\n",
"displayName": "Hijack Execution Flow - DLL Side-Loading",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingProcessAccountSid",
"identifier": "Sid"
},
{
"columnName": "InitiatingProcessAccountName",
"identifier": "Name"
},
{
"columnName": "InitiatingProcessAccountDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "InitiatingProcessCommandLine",
"identifier": "CommandLine"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/DLLSideLoading.yaml",
"query": "let imls = materialize(\n DeviceImageLoadEvents\n | where InitiatingProcessIntegrityLevel in (\"High\", \"System\") and FileName !endswith \".exe\"\n | project FolderPath=tolower(FolderPath), InitiatingProcessFileName, InitiatingProcessIntegrityLevel, DeviceId, DeviceName\n | distinct FolderPath, InitiatingProcessFileName, InitiatingProcessIntegrityLevel, DeviceId, DeviceName\n);\nimls\n| join (\n DeviceFileEvents\n | where FolderPath in~ ((imls | project FolderPath)) and ActionType in (\"FileCreated\", \"FileModified\") and\n InitiatingProcessIntegrityLevel !in (\"High\", \"System\", \"\") and InitiatingProcessAccountSid != \"S-1-5-18\" and\n InitiatingProcessTokenElevation in (\"TokenElevationTypeDefault\", \"TokenElevationTypeLimited\") and InitiatingProcessAccountSid !endswith \"-500\"\n | extend FolderPath=tolower(FolderPath)\n) on FolderPath, DeviceId, DeviceName\n| project-away FolderPath1\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Persistence",
"PrivilegeEscalation"
],
"techniques": [
"T1574"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}