Hunt 4 DLL sideload by China

Name:
Hunt 4 DLL sideload by China

TTP:
T1218.005 System Binary Proxy Execution: Mshta, T1218.011 System Binary Proxy Execution: Rundll32

Hypothesis:

The threat actor may attempt to execute malicious code by side-loading a malicious DLL using a legitimate application.

Campaign Type:
Data Driven

Data Sources:

• Process Monitoring
• Loaded DLLs
• Process Command-Line Parameters
• Windows Registry

Tools:

• Intezer
• Detect-It-Easy (DiE)
• PE Studio
• Process Hacker
• Process Explorer
• Autoruns
• Ghidra
• IDA Freeware
• x64dbg
• WinDbg

Scenario:

• Initial Access: Attacker gains initial access.
• Defense Evasion [TA0005]: Attacker uses DLL side-loading to bypass application control solutions and evade detection.
• Persistence: Attacker establishes persistence on the compromised system.
• Privilege Escalation: Attacker may attempt to elevate privileges to gain higher-level access.
• Lateral Movement: Attacker moves laterally to other systems within the network.
• Exfiltration: Attacker exfiltrates sensitive data from the network.
• Impact: Attacker achieves their objective, which may include data theft, disruption of operations, or financial gain.

Hunting Strategy:

• Analyze process monitoring logs for suspicious process creations and terminations, focusing on legitimate applications known to be used for DLL side-loading.

• Correlate process events with loaded DLLs to identify any unusual or malicious DLLs being loaded by the suspicious processes.

• Examine process command-line parameters for any anomalies or indicators of DLL side-loading, such as unusual parameters or paths.

• Investigate Windows Registry events for any suspicious modifications or creations related to DLL side-loading, such as changes to application paths or DLL search order. [cite: 403, 404]

• For any outliers or suspicious events identified, perform further analysis using tools like Intezer, Detect-It-Easy (DiE), and PE Studio to determine if the DLLs are malicious.

• If malicious DLL side-loading is confirmed, escalate the incident to the incident response team for further investigation and remediation.

• Document all findings and actions taken during the threat hunting process.

False Positive Consideration:

• Legitimate applications may use DLL side-loading for non-malicious purposes.
• Some software installers or updaters may exhibit behavior similar to DLL side-loading.

Recommendations:

• Implement strict application control rules to prevent the execution of unauthorized or suspicious DLLs.
• Regularly review and update application whitelists to ensure only trusted applications are allowed to run.
• Monitor for and investigate any suspicious modifications to the Windows Registry related to DLL search order or application paths.

Step-by-Step Guide to Emulate a Threat Hunt

Prepare the Environment

1. Set up a test environment with necessary security monitoring tools installed. This may include Sysmon, Winlogbeat, and an ELK stack for log collection and analysis.

2. Enable relevant auditing policies for the operating system and applications. Ensure that process creation, DLL loading, and other relevant events are being logged.

3. Configure a centralized log management system for collecting and storing security events. This will typically be your ELK stack.

Emulate the Attack Techniques

1. Execute commands and actions that simulate DLL side-loading. This can be done using a legitimate application and a custom-built malicious DLL.

2. Use relevant attack tools or scripts to generate representative security events. For example, you can use a tool like Cobalt Strike or Metasploit to simulate the attack.

Emulate Post-Compromise Activities

1. Simulate post-compromise activities, such as privilege escalation, lateral movement, and data exfiltration, to generate corresponding security events.

2. Use appropriate tools and techniques to emulate these activities in a controlled manner.

Collect and Analyze Logs

1. Collect the generated security event logs from your centralized log management system (ELK stack).

2. Use analysis tools to search for events related to the emulated attack techniques.

3. Filter events based on relevant criteria, such as process names, command-line parameters, network connections, and registry activity.

Refine Detections

1. Analyze the collected logs to identify patterns and refine your detection rules.

2. Consider using threat detection frameworks like YARA or SIGMA to create more robust detection rules.

3. Document your analysis and findings to improve future threat hunting efforts.

Hunting Logic

The hunting logic for DLL side-loading should focus on identifying suspicious patterns and anomalies related to process execution and DLL loading. This includes:

• Monitoring for the execution of legitimate applications known to be used for DLL side-loading, such as rundll32.exe and mshta.exe.  

   

• Identifying unusual or suspicious DLLs being loaded by these processes.

• Analyzing process command-line parameters for anomalies or indicators of DLL side-loading.

• Investigating any suspicious modifications or creations in the Windows Registry related to DLL side-loading.

Detection Rules

You can use YARA, SIGMA, or other detection engineering languages to create detection rules for DLL side-loading. These rules can be based on various criteria, such as:

• File names: Look for suspicious DLL names or names that mimic legitimate DLLs.

• File paths: Identify DLLs loaded from unusual or unexpected directories.

• Hashes: Detect known malicious DLLs based on their hashes.

• Command-line parameters: Identify suspicious command-line arguments used with legitimate applications.

• Registry activity: Monitor for suspicious modifications to the Windows Registry related to DLL search order or application paths.

By following this step-by-step guide and using appropriate hunting logic and detection rules, you can effectively emulate a threat hunt for DLL side-loading and improve your organization’s ability to detect and respond to this technique.

D3 Diagram: