DLL Search Order Hijacking with known programs

Detects writing DLL files to known locations associated with Windows files vulnerable to DLL search order hijacking.

id:afd1fba7-5301-4d5c-ae66-f8608bc98ae9 categories:detect confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Privilege Escalation, Defense Evasion, Persistence techniques:T1038 DLL Search Order Hijacking

Query

file where not subtype.delete and
  not user_sid in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and (
    file_path == "*\\windows\\ehome\\cryptbase.dll" or
    file_path == "*\\windows\\system32\\sysprep\\cryptbase.dll" or
    file_path == "*\\windows\\system32\\sysprep\\cryptsp.dll" or
    file_path == "*\\windows\\system32\\sysprep\\rpcrtremote.dll" or
    file_path == "*\\windows\\system32\\sysprep\\uxtheme.dll" or
    file_path == "*\\windows\\system32\\sysprep\\dwmapi.dll" or
    file_path == "*\\windows\\system32\\sysprep\\shcore.dll" or
    file_path == "*\\windows\\system32\\sysprep\\oleacc.dll" or
    file_path == "*\\windows\\system32\\ntwdblib.dll"
  )
| unique process_path, file_path

Contributors

• Endgame