Module

Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe with AuditLevel = 8. ^{[3] [4]}

There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. ^[5]

New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe with AuditLevel = 8. ^{[3] [4]}

Also monitor DLL load operations in lsass.exe. ^[6]

Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.

Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. New print processor DLLs are written to the print processor directory.

Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).^[7][8]

Analytic 1 - Processes loading PowerShell assemblies

source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="7" | where ModulePath LIKE "%system.management.automation%" OR FileDescription LIKE "%system.management.automation%"

Monitor for the loading of modules associated with VB languages (ex: vbscript.dll).

Note: For Windows, Sysmon Event ID 7 (Image loaded) can be used to alert on the loading of DLL modules (e.g., vbscript.dll) associated with Visual Basic into processes. Due to the high frequency of image load operations, Event ID 7 can generate a large volume of events. Therefore, we recommend tuning the Sysmon configuration file to exclude common, benign image loads that may result in false positives.

Monitor for the loading of modules associated with scripting languages (ex: JScript.dll).

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Tools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. ^{[9] [10]}

Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process.

Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process.

Likewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed.

Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths.

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

Monitor for dynamic libraries being loaded. Run path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, and LC_RPATH. Other special keywords are recognized by the macOS loader are @rpath, @loader_path, and @executable_path.^[11] These loader instructions can be examined for individual binaries or frameworks using the otool -l command. Objective-See's Dylib Hijacking Scanner can be used to identify applications vulnerable to dylib hijacking

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

Monitor library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

Monitor DLL files that are associated with COR_PROFILER environment variables.

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of .NET assemblies into processes. Look for image loads that are not recognized or not normally loaded into a process.^[12][13]

Monitor for COM objects loading DLLs and other modules not typically associated with the application.^[14]

Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe).

Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Password filters will also show up as an autorun and loaded DLL in lsass.exe.^[15]

Monitor the hybrid identity solution in use for the loading of unauthorized DLLs. For example, monitor all PTA agent servers for the creation of DLLs as well as the loading of DLLs into the AzureADConnectAuthenticationAgentService process.^[17] If AD FS is in use, monitor the AD FS server for the creation of DLLs as well as the loading of unrecognized or unsigned DLLs into the Microsoft.IdentityServer.Servicehost application.^[16]

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated API function calls. Dynamic malware analysis may also expose signs of function obfuscation, such as memory reads that correspond to addresses of API function code within modules.^[18]

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. Sysmon Event ID 7 (Image loaded) can be used to monitor the loading of DLLs into processes. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign processes and module loads to help reduce the number of events that are produced.

Monitor library load events, especially unusual creation of these binary files followed by loading into processes. Look for libraries that are not recognized or not normally loaded into a process.

Monitor for COM objects loading DLLs and other modules not typically associated with the application.^[19]

Note: Sysmon Event ID 7 (Image loaded) can be used to monitor for suspicious DLLs loaded by the DCOM Server Process Launcher which runs inside of svchost.exe. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign svchost.exe module loads that occur as part of its typical operation.

Enable CryptoAPI v2 (CAPI) event logging ^[20] to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). ^[21]

Monitor for DLL/PE file events, such as the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll.

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

Note: This looks for unsigned images that may be loaded by regsvr32, while attempting to eliminate false positives stemming from Windows/Program Files binaries.

Analytic 5 - Loading Unsigned Images

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="7") (Image="C:\Windows\System32\regsvr32.exe" OR Image="C:\Windows\SysWOW64\regsvr32.exe") Signed=false ImageLoaded!="C:\Program Files" ImageLoaded!="C:\Windows\*"|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded

Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls. Static Portable Executable (PE) analysis tools can be used to examine and dump the exports of a particular DLL.