[代理镜像] detection-rules/rules_building_block/defense_evasion_dll_hijack.toml at main · elastic/detection-rules · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
[metadata]
creation_date = "2023/07/12"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/03/24"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the
application folder and invoke the legitimate application to execute the payload, masking actions they perform under a
legitimate, trusted, and potentially elevated system or software process.
"""
from = "now-119m"
index = ["logs-endpoint.events.library-*"]
interval = "60m"
language = "eql"
license = "Elastic License v2"
name = "Unsigned DLL Loaded by a Trusted Process"
risk_score = 21
rule_id = "c20cd758-07b1-46a1-b03f-fa66158258b8"
severity = "low"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Defense Evasion",
    "Rule Type: BBR",
    "Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
library where host.os.type == "windows" and
   (dll.Ext.relative_file_creation_time <= 500 or
    dll.Ext.relative_file_name_modify_time <= 500 or
    dll.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk")) and dll.hash.sha256 != null and
    process.code_signature.status :"trusted" and not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and
    /* DLL loaded from the process.executable current directory */
    endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
    and not user.id : "S-1-5-18" and
    not dll.hash.sha256 : (
        "19588e6a318894abe8094374bee233e666f319de909c69f12a6047b14473e299",
        "6e8bee250c8cc1b65150522f33794759f5c65f58fff17c5cbf6422ad68b421d2",
        "55de11531dc0e566cb91f26e48d1301a161a4b8b24abed42304d711412368760",
        "56a5148d00c2d9e58415be2d64eca922a58063fe26d9af1c87084aa383c9058e",
        "83ee0ff920144edb2c2f4ea10130f55443493290886985a63233fa2431e450f9",
        "0d0d8f2eaff6b5f75e63d9721d5a0480b30e70792fe0d3a24d76fd3e61b05982",
        "8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb",
        "ea02a19dd824cb7d611b8821d1b9e6a076714a195d027d1ff918128a64ac5220",
        "02a6d001e6dd944738e09b720e49dcb1272cb782b870e5ae319d4600bc192225",
        "e7714a1d6ac3f4c4ae22564b9ca301e486f5f42691859c0a687246c47b5cf5c9",
        "17f0f709fb7f6190c03b19b6198fd863b6f0d79f46ccfebac6064be747a4cb3e",
        "cb7ab3788d10940df874acd97b1821bbb5ee4a91f3eec11982bb5bf7a3c96443",
        "c944ee510721a1d30d42227cc3061dfdcbc144c952381afcfe4f6e82c5435ffc",
        "967189adfbc889fde89aafc867f7a1f02731f8592cf6fd5a4ace1929213e2e13",
        "4a824526749790603eb66777f79787128dd282162a3904a4c1135de43b14d029",
        "620a7e658af05cc848091b8a639854b9b15700a9061b4a3d078523653133a4af",
        "cb220267fb0116b298bab6a09a764420d630c52026f7d750f8ffca4818389327",
        "0da1f856d92d6b95f10ed8c3f629cd15468c906de9352fb4ae629139d1412eed",
        "e1646c7778c24407a17881908037a49ecfcb5a980d155212d544302653a3ef62",
        "e102c9c5b22ceb60dc516ab4124bea8ec8e808b08eec48ea7ac674d13fca82ef",
        "c7544e1f9927afdf6e8cd7063020b572e60fe8f00af39227eb831d331df38225",
        "3668c6749db59a6cbc5293d0a4f904f76d6fb5048704449dd53894916f408a57",
        "7705851ba047a8154402aca92621b60be0e0e9d9b52b19bf8be540305bd53dba",
        "b5acf358ff97127eac9ef4c664a980b937376b5295ef23d77ee338225de10d60",
        "394d2d862f2ddce71f28d9b933b21a7d6c621c80ef28652574f758f77f01f716",
        "e958d03db79e9f1d2770c70a5bc24904aa3e2d27a8d5637684cf8166b38908f2",
        "284701380f33a30b25e8eb9822e7f47179238e91d08bd3fb5a117145de7e0d8d",
        "497471497886f18ca16f7facab7d76dc9bfadd69deb9c6e4ea9bdc0869a15628",
        "739bedcfc8eb860927eb2057474be5b39518aaaa6703f9f85307a432fa1f236e",
        "8f4c72e3c7de1ab5d894ec7813f65c5298ecafc183f31924b44a427433ffca42",
        "1ac4753056179b358132c55ca3086d550849ae30259ba94f334826c2fbf6c57e",
        "53e8fecd7d4b1b74064eba9bfa6a361d52929f440954931b4ba65615148bf0ea",
        "e9088afd8871dbad5eda47a9d8abf3b08dd2e17c423ba8a05f9b6ad6751f9b7c",
        "ab27eb05130db2f92499234b69ff97ee6429c7824efcb7324ae3e404e2b405bf",
        "553451008520a5f0110d84192cba40208fb001c27454f946e85e6fb2e6553292"
    )
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"

[[rule.threat.technique.subtechnique]]
id = "T1574.001"
name = "DLL"
reference = "https://attack.mitre.org/techniques/T1574/001/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"