sigma-rules/rules/windows/privilege_escalation_persistence_phantom_dll.toml

[metadata]
creation_date = "2020/01/07"
maturity = "production"
updated_date = "2022/08/02"

[rule]
author = ["Elastic"]
description = """
Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one
that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate
privileges via privileged file write vulnerabilities.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious DLL Loaded for Persistence or Privilege Escalation"
note = """## Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
    "https://itm4n.github.io/windows-dll-hijacking-clarified/",
    "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
    "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html",
    "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html",
    "https://windows-internals.com/faxing-your-way-to-system/",
    "http://waleedassar.blogspot.com/2013/01/wow64logdll.html",
]
risk_score = 73
rule_id = "bfeaf89b-a2a7-48a3-817f-e41829dc61ee"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
any where
 (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
 (
  /* compatible with Elastic Endpoint Library Events */
  (dll.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
               "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
               "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll")
   and (dll.code_signature.trusted == false or dll.code_signature.exists == false)) or

  /* compatible with Sysmon EventID 7 - Image Load */
  (file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
               "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
               "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll")
   and not file.code_signature.status == "Valid")
  )
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.002"
name = "DLL Side-Loading"
reference = "https://attack.mitre.org/techniques/T1574/002/"



[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.001"
name = "DLL Search Order Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/001/"



[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"