https://feed.craftedsignal.io/tags/dll-sideloading/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 14:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-unsigned-dll-sideloading/Wed, 03 Jan 2024 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-unsigned-dll-sideloading/This detection identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped unsigned DLL, which indicates an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed process.This rule detects DLL side-loading attempts where a signed, trusted Windows program running from a suspicious directory loads a recently dropped, unsigned DLL. Attackers leverage this technique to execute malicious code within the context of a trusted process, bypassing security controls that rely on code signatures. The suspicious directories include common locations where users might inadvertently place downloaded or created files. The timeframe for “recently dropped” is defined as DLLs with a relative file creation or modification time of 500 milliseconds or less. This technique is frequently used to evade traditional security measures and gain unauthorized access or persistence on a system. This detection focuses on the combination of a trusted program, a suspicious directory, and an unsigned DLL to reduce false positives.

Attack Chain

1. An attacker gains initial access to a system (e.g., through social engineering or exploiting a vulnerability).
2. The attacker drops a malicious, unsigned DLL into a suspicious directory (e.g., C:\Users\Public\).
3. The attacker identifies a signed, trusted Windows program vulnerable to DLL side-loading.
4. The attacker executes the trusted program, ensuring it loads the malicious DLL due to DLL search order hijacking.
5. The malicious DLL executes within the address space of the trusted program.
6. The malicious DLL performs malicious actions, such as establishing persistence, escalating privileges, or exfiltrating data.
7. The attacker uses the compromised process to move laterally within the network.

Impact

A successful DLL side-loading attack can lead to complete system compromise, data exfiltration, and potential lateral movement within the network. This technique allows attackers to bypass application whitelisting and signature-based detection mechanisms, making it difficult to detect. The impact is significant because attackers can execute arbitrary code with the privileges of the trusted process, potentially leading to privilege escalation and the compromise of sensitive data.

Recommendation

• Deploy the Sigma rule “Unsigned DLL Side-Loading from a Suspicious Folder” to your SIEM and tune for your environment to detect this specific DLL side-loading technique.
• Investigate any alerts generated by the “Unsigned DLL Side-Loading from a Suspicious Folder” Sigma rule by reviewing process code signatures and DLL modification times.
• Implement application whitelisting to restrict the execution of unauthorized programs.
• Monitor process creation events and DLL loading events for suspicious activity, focusing on unsigned DLLs loaded by trusted processes from unusual locations.
• Enable Elastic Defend or another endpoint detection and response (EDR) solution, as the rule is designed for data generated by Elastic Defend.

]]>mediumadvisorydefense-evasiondll-sideloadingwindowshttps://feed.craftedsignal.io/briefs/2024-01-vcruntime140-dll-sideload/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-vcruntime140-dll-sideload/Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library, often used by threat actors like APT29 (via WinELOADER) to load malicious payloads under the guise of legitimate applications, leading to defense evasion, persistence, and privilege escalation.This brief addresses the threat of DLL sideloading, specifically targeting the vcruntime140.dll library, a common component of the Visual C++ Redistributable. Threat actors, including APT29, have been observed exploiting this technique to load malicious payloads disguised as legitimate applications. By placing a malicious vcruntime140.dll in the same directory as a vulnerable application (e.g., SqlWriter, SqlDumper), attackers can hijack the application’s execution flow. This allows them to bypass security measures and execute arbitrary code with the privileges of the compromised application. The use of vcruntime140.dll sideloading has been documented in campaigns involving WinELOADER and targeted attacks against European diplomats. This technique is effective for defense evasion and establishing persistence on compromised systems.

Attack Chain

1. The attacker identifies a vulnerable application susceptible to DLL sideloading, such as SqlWriter or SqlDumper.
2. The attacker crafts a malicious vcruntime140.dll containing the desired payload (e.g., a reverse shell or malware loader).
3. The attacker gains initial access to the target system (e.g., through phishing or exploiting a software vulnerability).
4. The attacker places the malicious vcruntime140.dll in the same directory as the vulnerable application.
5. The attacker executes the vulnerable application (e.g., SqlWriter.exe).
6. The application attempts to load vcruntime140.dll from its local directory, inadvertently loading the malicious version instead of the legitimate system library.
7. The malicious DLL executes its payload within the context of the vulnerable application, bypassing security controls.
8. The attacker achieves persistence and privilege escalation, enabling further malicious activities on the compromised system.

Impact

Successful DLL sideloading can lead to a complete compromise of the affected system. Attackers can use this technique to execute arbitrary code, install malware, steal sensitive data, or establish a persistent foothold for future attacks. This technique has been observed in targeted attacks against political organizations and diplomats, highlighting its potential for espionage and disruption. If successful, organizations risk data breaches, financial loss, and reputational damage.

Recommendation

• Deploy the Sigma rule “Potential Vcruntime140 DLL Sideloading” to your SIEM to detect instances of suspicious vcruntime140.dll loading from non-standard paths (logsource: image_load/windows).
• Investigate any instances of vcruntime140.dll being loaded from directories other than C:\Windows\System32\, C:\Windows\SysWOW64\, C:\Program Files\, or C:\Program Files (x86)\ using process creation logs.
• Implement application whitelisting to prevent the execution of unauthorized applications and DLLs.
• Monitor for unsigned or improperly signed instances of vcruntime140.dll being loaded.

]]>highthreatdll-sideloadingvcruntime140.dllapt29wineloaderdefense-evasionpersistenceprivilege-escalation