{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-internet-information-services/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Word","Microsoft Windows","Microsoft Internet Information Services"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows","dll side-loading"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies potential DLL side-loading attempts, a technique used by adversaries to evade defenses. The technique involves exploiting the DLL search order vulnerability in trusted Microsoft programs such as WinWord.exe, EXPLORER.EXE, w3wp.exe, and DISM.EXE. Attackers rename or move these executables to non-standard paths and load malicious DLLs. By doing so, the malicious code is executed within the memory space of a trusted process, potentially bypassing security controls and evading detection. The original Elastic detection rule was created on 2020/09/03 and last updated on 2026/04/07. This activity matters to defenders as it allows attackers to execute malicious code with elevated privileges while blending in with legitimate system processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable, trusted Microsoft program (e.g., WinWord.exe, EXPLORER.EXE).\u003c/li\u003e\n\u003cli\u003eAttacker copies or moves the targeted executable to a non-standard directory.\u003c/li\u003e\n\u003cli\u003eAttacker renames the executable (optional).\u003c/li\u003e\n\u003cli\u003eAttacker places a malicious DLL in the same directory as the renamed/moved executable. This DLL is designed to be loaded by the trusted program when it starts.\u003c/li\u003e\n\u003cli\u003eAttacker executes the renamed/moved executable.\u003c/li\u003e\n\u003cli\u003eThe executable loads the malicious DLL due to DLL search order hijacking.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code, achieving persistence, privilege escalation, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful DLL side-loading can lead to arbitrary code execution within the context of a trusted process. This allows attackers to bypass application whitelisting and other security controls. The impact can range from malware installation and data exfiltration to complete system compromise. This technique is often employed in targeted attacks and can be difficult to detect due to the legitimate appearance of the host process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential DLL Side-Loading via Trusted Microsoft Programs\u003c/code\u003e to detect renamed or relocated trusted Microsoft programs. Tune the rule for your environment by whitelisting legitimate software updates or custom applications that may trigger false positives.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to capture the full path of executed processes. This will provide the data needed to accurately identify processes running from non-standard locations (log source: process_creation).\u003c/li\u003e\n\u003cli\u003eMonitor file modifications and creations in directories where trusted Microsoft programs are located. This can help identify the presence of malicious DLLs (log source: file_event).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-dll-side-loading/","summary":"This rule detects potential DLL side-loading attempts by identifying trusted Microsoft programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) running from non-standard paths or after being renamed to evade defenses.","title":"Potential DLL Side-Loading via Trusted Microsoft Programs","url":"https://feed.craftedsignal.io/briefs/2024-01-dll-side-loading/"}],"language":"en","title":"CraftedSignal Threat Feed - Microsoft Internet Information Services","version":"https://jsonfeed.org/version/1.1"}