windows_unsigned_ms_dll_side_loading.yml

name: Windows Unsigned MS DLL Side-Loading
id: 8d9e0e06-ba71-4dc5-be16-c1a46d58728c
version: 1
date: '2024-04-05'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon Event ID 7
type: Anomaly
status: production
description: The following analysis identifies potential DLL side-loading instances involving unsigned DLLs with 
  a company detail signature mimicking Microsoft. This technique is frequently exploited by adversaries to execute 
  malicious code automatically by running a legitimate process. The analytics involves searching Sysmon logs for Event Code 7, 
  where both the `Image` and `ImageLoaded` paths do not match system directories (`system32`, `syswow64`, and `programfiles`). 
  Additionally, it verifies whether the loaded DLL is signed and checks if the folder paths of the `Image` and `ImageLoaded` are identical. 
  This anomaly detection mechanism serves as a valuable indicator for identifying suspicious processes that load unsigned DLLs. Add other paths based on org hunting.
search: '`sysmon` EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus != Valid 
  NOT (Image IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) 
  NOT (ImageLoaded IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) 
  | rex field=Image "(?<ImageFolderPath>.+\\\)"
  | rex field=ImageLoaded "(?<ImageLoadedFolderPath>.+\\\)"
  | where ImageFolderPath = ImageLoadedFolderPath
  | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus
  | rename Computer as dest 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 
  | `windows_unsigned_ms_dll_side_loading_filter`'
how_to_implement: The analytic is designed to be run against Sysmon event logs collected
  from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk.
  The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe
  and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate
  loading of vcruntime140.dll from the System32 directory to reduce false positives.
  The analytic can be modified to include additional known good paths for vcruntime140.dll
  to further reduce false positives.
known_false_positives: False positives are possible if legitimate processes are loading
  vcruntime140.dll from non-standard directories. It is recommended to investigate the
  context of the process loading vcruntime140.dll to determine if it is malicious or
  not. Modify the search to include additional known good paths for vcruntime140.dll
  to reduce false positives.
references:
- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
tags:
  analytic_story:
  - APT29 Diplomatic Deceptions with WINELOADER
  group:
  - APT29
  - Cozy Bear
  - Midnight Blizzard
  asset_type: Endpoint
  confidence: 30
  impact: 30
  message: An instance of $Image$ loading Unsigned $ImageLoaded$ was detected on $dest$.
  mitre_attack_id:
  - T1574.002
  - T1547
  observable:
  - name: Image
    type: File Name
    role:
    - Attacker
  - name: dest
    type: Hostname
    role:
    - Victim
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  required_fields:
  - Image
  - ImageLoaded
  - user
  - Computer
  - EventCode
  risk_score: 9
  security_domain: endpoint
  cve: []
tests:
- name: True Positive Test
  attack_data:
  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_load//wineloader_dll_sideload.log
    sourcetype: xmlwineventlog
    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational