Find sigma rule

Attack: Hijack Execution Flow: DLL Side-Loading

Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)

MITRE

Tactic

privilege-escalation
defense-evasion
persistence

technique

T1574.002

Test : DLL Side-Loading using the Notepad++ GUP.exe binary

OS

windows

Description:

GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. Upon execution, calc.exe will be opened.

Executor

command_prompt

Sigma Rule

proc_creation_win_gup_suspicious_execution.yml (id: 0a4f6091-223b-41f6-8743-f322ec84930b)
image_load_dll_dbghelp_dbgcore_susp_load.yml (id: 0e277796-5f23-4e49-a490-483131d4f6e1)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test