Windows DLL Search Order Hijacking Hunt with Sysmon

Name:Windows DLL Search Order Hijacking Hunt with Sysmon
id:79c7d1fc-64c7-91be-a616-ccda752efe81
version:6
date:2024-10-17
author:Michael Haag, Splunk
status:production
type:Hunting
Description:The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment.
Data_source:

• -Sysmon EventID 7

search:`sysmon` EventCode=7 NOT (process_path IN ("*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*"))
| lookup hijacklibs library AS loaded_file OUTPUT islibrary
| search islibrary = True
| stats count min(_time) as firstTime max(_time) as lastTime values(process_name) as process_name by _time dest loaded_file
| `windows_dll_search_order_hijacking_hunt_with_sysmon_filter`

how_to_implement:The search is written against the latest Sysmon TA 4.0 https://splunkbase.splunk.com/app/5709. For this specific event ID 7, the sysmon TA will extract the ImageLoaded name to the loaded_file field which is used in the search to compare against the hijacklibs lookup.
known_false_positives:False positives will be present based on paths. Filter or add other paths to the exclusion as needed. Some applications may legitimately load libraries from non-standard paths.
References:
  -https://hijacklibs.net
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Living Off The Land'
    - 'Windows Defense Evasion Tactics'
    - 'Qakbot'
  asset_type:Endpoint
  confidence:10
  impact:10
  message:Potential Windows DLL Search Order Hijacking detected on $dest$
  mitre_attack_id:
    - 'T1574.001'
    - 'T1574'
  observable:
    name:'dest'
    type:'Hostname'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'dest'
    - 'ImageLoaded'
    - 'Module_Path'
  risk_score:1
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log
  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  sourcetype: XmlWinEventLog
  update_timestamp: True
manual_test:None