{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dll/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["powershell","module","dll","filecreation","scriptblocksmuggling"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThe creation of DLL files in PowerShell module directories is a common technique used by attackers to introduce malicious functionality into a system. This activity can be indicative of several malicious behaviors, including the installation of rogue modules, attempts at ScriptBlock smuggling to bypass security controls, or other forms of malicious PowerShell exploitation. The detection focuses on monitoring for the creation of new DLLs within the various PowerShell module directories, which is an unusual event during normal system operation. While legitimate module installations can trigger this alert, the high potential for abuse makes it a critical event to monitor. The detection logic is based on Sysmon Event ID 11.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system via phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell to download a malicious DLL module.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell commands to place the malicious DLL into a PowerShell module directory (e.g., \u003ccode\u003eC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eSysmon Event ID 11 logs the creation of the DLL file in the PowerShell module directory.\u003c/li\u003e\n\u003cli\u003eThe attacker then imports the module using \u003ccode\u003eImport-Module\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOnce the module is imported, the attacker executes malicious code embedded within the DLL.\u003c/li\u003e\n\u003cli\u003eThis allows the attacker to perform actions such as privilege escalation, data exfiltration, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by modifying PowerShell profiles or using scheduled tasks to automatically load the malicious module on system startup.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a wide range of malicious activities, including persistence, privilege escalation, and data theft. Attackers can use this technique to maintain long-term access to compromised systems and networks. The impact can range from minor data breaches to complete system compromise depending on the attacker\u0026rsquo;s objectives and the permissions of the compromised user account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 logging to capture file creation events, as this is the data source for the detections below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Module DLL Created\u0026rdquo; to your SIEM and tune for your environment to detect suspicious DLL creation in PowerShell module directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the DLL creation is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell command-line activity for the use of \u003ccode\u003eImport-Module\u003c/code\u003e and other module-related commands, as these can indicate module loading and execution.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted DLLs in PowerShell.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-powershell-module-dll-creation/","summary":"The creation of a DLL file within PowerShell module directories can indicate malicious PowerShell activity, such as installing new modules or attempts at ScriptBlock smuggling, and this activity is detected using Sysmon Event ID 11.","title":"Suspicious PowerShell Module DLL Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-module-dll-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Unlocker Extension","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["iobit","unlocker","regsvr32","dll","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["IObit","Splunk"],"content_html":"\u003cp\u003eIOBit Unlocker is a legitimate Windows utility designed to resolve issues involving files or folders that cannot be deleted, moved, or renamed because they are locked by other processes or applications. Attackers can abuse this tool by registering a malicious extension DLL that enables them to unlock and manipulate critical system files, potentially leading to privilege escalation, data exfiltration, or system compromise. This technique can be employed to disable security software, modify system configurations, or deploy malware more effectively.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL file, disguised as or named similarly to \u0026ldquo;IObitUnlockerExtension.dll\u0026rdquo;, onto the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses regsvr32.exe to register the malicious DLL: \u003ccode\u003eregsvr32.exe /s IObitUnlockerExtension.dll\u003c/code\u003e. The \u003ccode\u003e/s\u003c/code\u003e flag is used for silent registration to avoid user interaction.\u003c/li\u003e\n\u003cli\u003eUpon successful registration, the DLL is loaded by the system.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL hooks into system processes, granting the attacker the ability to unlock files and folders protected by the operating system or other applications.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the DLL\u0026rsquo;s capabilities to unlock files or folders related to security software, such as antivirus programs, or critical system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or replaces these unlocked files to disable security controls, escalate privileges, or plant persistent malware.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which may include data exfiltration, system disruption, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the complete compromise of a Windows host. An attacker may disable security software, modify sensitive system configurations, and deploy malware undetected. The DFIR Report has observed this technique used in intrusions leading to ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect IOBit Unlocker Extension DLL Registration via Regsvr32\u003c/code\u003e to your SIEM to identify suspicious registrations of IOBitUnlockerExtension.dll.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for instances of \u003ccode\u003eregsvr32.exe\u003c/code\u003e registering DLLs from unusual or suspicious locations.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003eregsvr32.exe\u003c/code\u003e to authorized users and processes.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit registered DLLs to identify any unauthorized or malicious extensions.\u003c/li\u003e\n\u003cli\u003eInvestigate any endpoint activity involving IObit Unlocker, including file modifications and process terminations related to locked files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-iobit-unlocker-extension-dll-registration/","summary":"The IOBit Unlocker Extension DLL is being registered via regsvr32.exe, a Windows utility used to unlock files or folders by terminating locking processes, which could be abused for malicious purposes.","title":"IOBit Unlocker Extension DLL Registration via Regsvr32","url":"https://feed.craftedsignal.io/briefs/2024-01-iobit-unlocker-extension-dll-registration/"}],"language":"en","title":"CraftedSignal Threat Feed — Dll","version":"https://jsonfeed.org/version/1.1"}