{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dll-sideloading/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","dll-sideloading","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis rule detects DLL side-loading attempts where a signed, trusted Windows program running from a suspicious directory loads a recently dropped, unsigned DLL. Attackers leverage this technique to execute malicious code within the context of a trusted process, bypassing security controls that rely on code signatures. The suspicious directories include common locations where users might inadvertently place downloaded or created files. The timeframe for \u0026ldquo;recently dropped\u0026rdquo; is defined as DLLs with a relative file creation or modification time of 500 milliseconds or less. This technique is frequently used to evade traditional security measures and gain unauthorized access or persistence on a system. This detection focuses on the combination of a trusted program, a suspicious directory, and an unsigned DLL to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through social engineering or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious, unsigned DLL into a suspicious directory (e.g., \u003ccode\u003eC:\\Users\\Public\\\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a signed, trusted Windows program vulnerable to DLL side-loading.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the trusted program, ensuring it loads the malicious DLL due to DLL search order hijacking.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes within the address space of the trusted program.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs malicious actions, such as establishing persistence, escalating privileges, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised process to move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DLL side-loading attack can lead to complete system compromise, data exfiltration, and potential lateral movement within the network. This technique allows attackers to bypass application whitelisting and signature-based detection mechanisms, making it difficult to detect. The impact is significant because attackers can execute arbitrary code with the privileges of the trusted process, potentially leading to privilege escalation and the compromise of sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unsigned DLL Side-Loading from a Suspicious Folder\u0026rdquo; to your SIEM and tune for your environment to detect this specific DLL side-loading technique.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Unsigned DLL Side-Loading from a Suspicious Folder\u0026rdquo; Sigma rule by reviewing process code signatures and DLL modification times.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized programs.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events and DLL loading events for suspicious activity, focusing on unsigned DLLs loaded by trusted processes from unusual locations.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend or another endpoint detection and response (EDR) solution, as the rule is designed for data generated by Elastic Defend.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-unsigned-dll-sideloading/","summary":"This detection identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped unsigned DLL, which indicates an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed process.","title":"Unsigned DLL Side-Loading from Suspicious Folders by Trusted Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-unsigned-dll-sideloading/"},{"_cs_actors":["APT29","Cozy Bear","NOBELIUM","UNC2452","Midnight Blizzard","The Dukes"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Visual C++ Redistributable"],"_cs_severities":["high"],"_cs_tags":["dll-sideloading","vcruntime140.dll","apt29","wineloader","defense-evasion","persistence","privilege-escalation"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief addresses the threat of DLL sideloading, specifically targeting the \u003ccode\u003evcruntime140.dll\u003c/code\u003e library, a common component of the Visual C++ Redistributable. Threat actors, including APT29, have been observed exploiting this technique to load malicious payloads disguised as legitimate applications. By placing a malicious \u003ccode\u003evcruntime140.dll\u003c/code\u003e in the same directory as a vulnerable application (e.g., SqlWriter, SqlDumper), attackers can hijack the application\u0026rsquo;s execution flow. This allows them to bypass security measures and execute arbitrary code with the privileges of the compromised application. The use of \u003ccode\u003evcruntime140.dll\u003c/code\u003e sideloading has been documented in campaigns involving WinELOADER and targeted attacks against European diplomats. This technique is effective for defense evasion and establishing persistence on compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable application susceptible to DLL sideloading, such as SqlWriter or SqlDumper.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003evcruntime140.dll\u003c/code\u003e containing the desired payload (e.g., a reverse shell or malware loader).\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the target system (e.g., through phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious \u003ccode\u003evcruntime140.dll\u003c/code\u003e in the same directory as the vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the vulnerable application (e.g., SqlWriter.exe).\u003c/li\u003e\n\u003cli\u003eThe application attempts to load \u003ccode\u003evcruntime140.dll\u003c/code\u003e from its local directory, inadvertently loading the malicious version instead of the legitimate system library.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes its payload within the context of the vulnerable application, bypassing security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and privilege escalation, enabling further malicious activities on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful DLL sideloading can lead to a complete compromise of the affected system. Attackers can use this technique to execute arbitrary code, install malware, steal sensitive data, or establish a persistent foothold for future attacks. This technique has been observed in targeted attacks against political organizations and diplomats, highlighting its potential for espionage and disruption. If successful, organizations risk data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Vcruntime140 DLL Sideloading\u0026rdquo; to your SIEM to detect instances of suspicious \u003ccode\u003evcruntime140.dll\u003c/code\u003e loading from non-standard paths (logsource: image_load/windows).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003evcruntime140.dll\u003c/code\u003e being loaded from directories other than \u003ccode\u003eC:\\Windows\\System32\\\u003c/code\u003e, \u003ccode\u003eC:\\Windows\\SysWOW64\\\u003c/code\u003e, \u003ccode\u003eC:\\Program Files\\\u003c/code\u003e, or \u003ccode\u003eC:\\Program Files (x86)\\\u003c/code\u003e using process creation logs.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent the execution of unauthorized applications and DLLs.\u003c/li\u003e\n\u003cli\u003eMonitor for unsigned or improperly signed instances of \u003ccode\u003evcruntime140.dll\u003c/code\u003e being loaded.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-vcruntime140-dll-sideload/","summary":"Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library, often used by threat actors like APT29 (via WinELOADER) to load malicious payloads under the guise of legitimate applications, leading to defense evasion, persistence, and privilege escalation.","title":"Potential Vcruntime140 DLL Sideloading","url":"https://feed.craftedsignal.io/briefs/2024-01-vcruntime140-dll-sideload/"}],"language":"en","title":"CraftedSignal Threat Feed — Dll-Sideloading","version":"https://jsonfeed.org/version/1.1"}