forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
defense_evasion_dll_hijack.toml
65 lines (55 loc) · 2.32 KB
/
defense_evasion_dll_hijack.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
[metadata]
creation_date = "2023/07/12"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above."
min_stack_version = "8.4.0"
updated_date = "2023/10/13"
[rule]
author = ["Elastic"]
description = """
Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the
application folder and invoke the legitimate application to execute the payload, masking actions they perform under a
legitimate, trusted, and potentially elevated system or software process.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Unsigned DLL Loaded by a Trusted Process"
risk_score = 21
rule_id = "c20cd758-07b1-46a1-b03f-fa66158258b8"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
query = '''
library where host.os.type == "windows" and
(dll.Ext.relative_file_creation_time <= 500 or
dll.Ext.relative_file_name_modify_time <= 500 or
dll.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk")) and dll.hash.sha256 != null and
process.code_signature.status :"trusted" and not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
/* DLL loaded from the process.executable current directory */
endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
and not user.id : "S-1-5-18"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.001"
name = "DLL Search Order Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/001/"
[[rule.threat.technique.subtechnique]]
id = "T1574.002"
name = "DLL Side-Loading"
reference = "https://attack.mitre.org/techniques/T1574/002/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"