Name:Windows DLL Search Order Hijacking Hunt with Sysmon id:79c7d1fc-64c7-91be-a616-ccda752efe81 version:9 date:2025-02-10 author:Michael Haag, Splunk status:production type:Hunting Description:The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment. Data_source:
-Sysmon EventID 7
search:`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) | lookup hijacklibs library AS loaded_file OUTPUT islibrary | search islibrary = True | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`
how_to_implement:The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to the loaded_file field which is used in the search to compare against the hijacklibs lookup. known_false_positives:False positives will be present based on paths. Filter or add other paths to the exclusion as needed. Some applications may legitimately load libraries from non-standard paths. References: -https://hijacklibs.net drilldown_searches:
: tags: analytic_story: - 'Living Off The Land' - 'Windows Defense Evasion Tactics' - 'Qakbot' asset_type:Endpoint mitre_attack_id: - 'T1574.001' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
