Nterl0k - T1574.002 Hijacks gone wild

detections/endpoint/windows_known_abused_dll_created_suspiciously.yml

@@ -0,0 +1,86 @@
+name: Windows Known Abused DLL Created Suspiciously
+id: ea91651a-772a-4b02-ac3d-985b364a5f07
+version: 1
+date: '2024-02-19'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic detects when DLLs with known abuse history are created in an unusual location. This activity may represent an attacker performing a DLL search order or sideload hijacking technique. These techniques are used to gain persistence as well as elevate privileges on the target system
+data_source:
+- Sysmon 1
+- Sysmon 11
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process!="unknown" Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest Processes.user Processes.process_guid Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name
+| `drop_dm_object_name(Processes)` 
+| join max=0 process_guid dest
+    [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\users\\*","*\\Windows\Temp\\*","*\\programdata\\*") Filesystem.file_name="*.dll" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid 
+    | `drop_dm_object_name(Filesystem)`
+    | lookup hijacklibs library AS file_name OUTPUT islibrary, ttp, comment as desc
+    | lookup hijacklibs library AS file_name excludes as file_path OUTPUT islibrary as excluded
+    | search islibrary = TRUE AND excluded != TRUE
+    | stats latest(*) as * by dest process_guid ]
+| where isnotnull(file_name)
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`
+|  `windows_known_abused_dll_created_suspiciously_filter`'
+how_to_implement: The following analytic requires Sysmon operational logs to be imported, specially process and file creation logs for monitoring of commonly abused areas. Modify the sysmon macro as needed to match the sourcetype or add index.
+known_false_positives: DLLs being loaded by user mode programs for legitimate reasons.
+references:
+- https://attack.mitre.org/techniques/T1574/002/
+- https://hijacklibs.net/api/
+- https://wietze.github.io/blog/hijacking-dlls-in-windows
+- https://github.com/olafhartong/sysmon-modular/pull/195/files
+tags:
+  analytic_story:
+  - Windows Defense Evasion Tactics
+  - Living Off The Land
+  asset_type: Endpoint
+  confidence: 25
+  impact: 40
+  message: The file [$file_name$] was written to an unusual location by [$process_name$]
+  mitre_attack_id:
+  - T1574.001
+  - T1574.002
+  - T1574
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: process_name
+    type: Process
+    role:
+    - Attacker
+  - name: file_name
+    type: File
+    role:
+    - Attacker	
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Processes.dest
+  - Processes.user
+  - Processes.process_guid
+  - Processes.process_name
+  - Processes.process
+  - Processes.parent_process
+  - Processes.parent_process_name
+  - Filesystem.dest
+  - Filesystem.file_create_time
+  - Filesystem.file_name
+  - Filesystem.file_path
+  - Filesystem.process_guid
+  risk_score: 10
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml

@@ -0,0 +1,75 @@
+name: Windows Known Abused DLL Loaded Suspiciously
+id: dd6d1f16-adc0-4e87-9c34-06189516b803
+version: 1
+date: '2024-02-19'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic detects when DLLs with known abuse history are loaded from an unusual location. This activity may represent an attacker performing a DLL search order or sideload hijacking technique. These techniques are used to gain persistence as well as elevate privileges on the target system. ----- The following hunting analytic is an experimental query built against a accidental feature using the latest Sysmon TA 3.0 (https://splunkbase.splunk.com/app/5709/) which maps the module load (ImageLoaded) to process_name. This analytic will deprecate once this is fixed.
+data_source:
+- Sysmon 7
+search: 'process_name from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path IN ("*\\Program Files*","*\\system32\\*", "*\\syswow64\\*","*\\winsxs\\*","*\\wbem\\*")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process_path
+| `drop_dm_object_name(Processes)` 
+| lookup hijacklibs library AS process_name OUTPUT islibrary comment as desc
+| lookup hijacklibs library AS process_name excludes as process_path OUTPUT islibrary as excluded
+| search islibrary = TRUE AND excluded != TRUE
+| stats sum(count) as count min(firstTime) as firstTime max(lastTime) as lastTime latest(*) as * by dest, process_name, process_path, parent_process_name
+| eval process = process_path, parent_process = parent_process_name
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`
+| `windows_known_abused_dll_loaded_suspiciously_filter`'
+how_to_implement: The following analytic requires Sysmon operational logs to be imported, with EID7 being mapped to the process_name field. Modify the sysmon macro as needed to match the sourcetype or add index. This analytic is specific to EID7 and the Endpoint Datamodel.
+known_false_positives: DLLs being loaded by user mode programs for legitimate reasons.
+references:
+- https://attack.mitre.org/techniques/T1574/002/
+- https://hijacklibs.net/api/
+- https://wietze.github.io/blog/hijacking-dlls-in-windows
+- https://github.com/olafhartong/sysmon-modular/pull/195/files
+tags:
+  analytic_story:
+  - Windows Defense Evasion Tactics
+  - Living Off The Land
+  asset_type: Endpoint
+  confidence: 25
+  impact: 40
+  message: The module [$process_name$] was loaded from an unusual location by [$parent_process_name$]
+  mitre_attack_id:
+  - T1574.001
+  - T1574.002
+  - T1574
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: process_name
+    type: Process
+    role:
+    - Attacker
+  - name: parent_process_name
+    type: Process
+    role:
+    - Attacker	
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Processes.dest
+  - Processes.user
+  - Processes.parent_process_name
+  - Processes.process_name
+  - Processes.process_path
+  risk_score: 10
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog