Unsigned DLL Side-Loading from Suspicious Folders by Trusted Processes

This rule detects DLL side-loading attempts where a signed, trusted Windows program running from a suspicious directory loads a recently dropped, unsigned DLL. Attackers leverage this technique to execute malicious code within the context of a trusted process, bypassing security controls that rely on code signatures. The suspicious directories include common locations where users might inadvertently place downloaded or created files. The timeframe for “recently dropped” is defined as DLLs with a relative file creation or modification time of 500 milliseconds or less. This technique is frequently used to evade traditional security measures and gain unauthorized access or persistence on a system. This detection focuses on the combination of a trusted program, a suspicious directory, and an unsigned DLL to reduce false positives.

Attack Chain

1. An attacker gains initial access to a system (e.g., through social engineering or exploiting a vulnerability).
2. The attacker drops a malicious, unsigned DLL into a suspicious directory (e.g., C:\Users\Public\).
3. The attacker identifies a signed, trusted Windows program vulnerable to DLL side-loading.
4. The attacker executes the trusted program, ensuring it loads the malicious DLL due to DLL search order hijacking.
5. The malicious DLL executes within the address space of the trusted program.
6. The malicious DLL performs malicious actions, such as establishing persistence, escalating privileges, or exfiltrating data.
7. The attacker uses the compromised process to move laterally within the network.

Impact

A successful DLL side-loading attack can lead to complete system compromise, data exfiltration, and potential lateral movement within the network. This technique allows attackers to bypass application whitelisting and signature-based detection mechanisms, making it difficult to detect. The impact is significant because attackers can execute arbitrary code with the privileges of the trusted process, potentially leading to privilege escalation and the compromise of sensitive data.

Recommendation

• Deploy the Sigma rule “Unsigned DLL Side-Loading from a Suspicious Folder” to your SIEM and tune for your environment to detect this specific DLL side-loading technique.
• Investigate any alerts generated by the “Unsigned DLL Side-Loading from a Suspicious Folder” Sigma rule by reviewing process code signatures and DLL modification times.
• Implement application whitelisting to restrict the execution of unauthorized programs.
• Monitor process creation events and DLL loading events for suspicious activity, focusing on unsigned DLLs loaded by trusted processes from unusual locations.
• Enable Elastic Defend or another endpoint detection and response (EDR) solution, as the rule is designed for data generated by Elastic Defend.