-
-
Notifications
You must be signed in to change notification settings - Fork 214
Expand file tree
/
Copy pathdefense_evasion_dll_sideloading_via_copied_binary.yml
More file actions
34 lines (32 loc) · 1.22 KB
/
defense_evasion_dll_sideloading_via_copied_binary.yml
File metadata and controls
34 lines (32 loc) · 1.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
name: DLL Side-Loading via a copied binary
id: 80798e2c-6c37-472b-936c-1d2d6b95ff3c
version: 1.0.8
description: |
Identifies when a binary is copied to a directory and shortly followed
by the loading of an unsigned DLL from the same directory. Adversaries may
opt for moving legitimate signed binaries to a random directory and use them
to side-load a malicious library.
labels:
tactic.id: TA0005
tactic.name: Defense Evasion
tactic.ref: https://attack.mitre.org/tactics/TA0005/
technique.id: T1574
technique.name: Hijack Execution Flow
technique.ref: https://attack.mitre.org/techniques/T1574/
subtechnique.id: T1574.002
subtechnique.name: DLL Side-Loading
subtechnique.ref: https://attack.mitre.org/techniques/T1574/002/
condition: >
sequence
maxspan 8m
|create_file and
ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and
thread.callstack.symbols imatches ('*CopyFile*', '*MoveFile*') and
(file.extension ~= '.exe' or file.is_exec)
| by file.path
|(load_dll) and
dir(dll.path) ~= dir(ps.exe) and
ps.signature.subject icontains 'Microsoft' and ps.signature.trusted and
(dll.signature.exists = false or dll.signature.trusted = false)
| by ps.exe
min-engine-version: 3.0.0