This micro emulation plan targets malicious activity associated with T1574.002 Hijack Execution Flow: DLL Side-Loading. DLL side-loading involves adversaries executing an otherwise legitimate/benign application in order to hijack the modules/libraries it loads to instead execute their malicious payload. This behavior is very often abused to execute malware within trusted, potentially privileged (i.e. TA0004 Privilege Escalation) applications.
You can access the binary for this micro plan as part of the latest release.
Table Of Contents:
What are we doing? This plan provides an easy-to-execute tool that invokes a vulnerable executable in order to side-load a payload. The payload then executes a series of typical Discovery commands (dir
, net share
, whoami
).
The plan supports user (non-privileged) and administrator-level side-loading.
Why should you care? DLL side-loading is part of a broader set of DLL hijacking behaviors often abused to execute malware within trusted, potentially privileged (i.e. TA0004 Privilege Escalation) applications. A growing pattern of DLL side-loading abuse involves including both a malicious DLL as well as vulnerable application as TA0001 Initial Access phishing payloads.
This type of infection chain concludes with invoking the vulnerable application (calc.exe
in the example below) in order to load and execute the malicious payload (WindowsCodecs.dll
in the example below) in memory.
Image from Qakbot Resurfaces with new Playbook - Threat Actors Leveraging DLL-SideLoading to Deliver Malware.
Side-loading is abused by a wide range of threat actors and malware, and is an increasingly relevant threat given the prevalence of vulnerable executables.
This plan has been compiled into an easy-to-execute tool. The source code for this plan (as well as the DLL payload) is also provided if you wish to customize and rebuild.
The dll_sideloading.exe
tool executes the complete emulation functionality. It accepts a single argument that selects the execution variant:
-u
user-level side-loading usingcharmap.exe
-a
admin-level side-loading usingNetplwiz.exe
[default if no argument is provided]
dll_sideloading.exe -h
will display a help menu. Execution of the plan will also create a sideloaded.txt
file that confirms successful operation.
Note: These techniques were developed and tested using W10 Enterprise 21H2 (Ver: 19044.2364).
DLL side-loading activity can potentially be identified by analyzing module load events (e.g., Sysmon EID 7). Side-loading patterns can be detected by comparing characteristics of the loaded DLLs (hash, location, etc.) to known/expected values. This can be done by:
- Baselining the DLLs loaded by specific processes to monitor for anomalies such as module loads from non-default directories
- Baselining the common locations of specific DLLs to monitor for module load events originating from unexpected locations
- Baselining DLLs present on a system by default to monitor for unexpected module loads, especially those known to be commonly abused for malicious side-loading
- Broadly monitoring loads of known DLLs from non-standard locations (such as the \System32 folder), as well as modules being loaded from commonly abused folders
<ImageLoad onmatch="include">
<ImageLoaded name="technique_id=T1574.002,technique_name=DLL Side-Loading" condition="contains any">admin$;c$;\\;\appdata\;\temp\</ImageLoaded> <!-- loaded from network file share -->
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">c:\programdata\</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\Media\</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\addins\</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\system32\config\systemprofile\</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\Debug\</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\Temp</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\PerfLogs\</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\Help\</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Intel\Logs\</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Temp</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\repair\</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\security\</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">C:\Windows\Fonts\</ImageLoaded>
<ImageLoaded condition="contains" name="technique_id=T1574.002,technique_name=DLL Side-Loading">Downloads</ImageLoaded>
<ImageLoaded condition="contains" name="technique_id=T1574.002,technique_name=DLL Side-Loading">Public</ImageLoaded>
<ImageLoaded condition="contains" name="technique_id=T1574.002,technique_name=DLL Side-Loading">Documents</ImageLoaded>
<ImageLoaded condition="contains" name="technique_id=T1574.002,technique_name=DLL Side-Loading">Music</ImageLoaded>
<ImageLoaded condition="contains" name="technique_id=T1574.002,technique_name=DLL Side-Loading">Video</ImageLoaded>
<ImageLoaded condition="begin with" name="technique_id=T1574.002,technique_name=DLL Side-Loading">file:</ImageLoaded>
<ImageLoaded name="technique_id=T1574.002,technique_name=DLL Side-Loading" condition="contains">$Recycle.bin\</ImageLoaded>
<ImageLoaded name="technique_id=T1574.002,technique_name=DLL Side-Loading" condition="contains">\Windows\IME\</ImageLoaded>
</ImageLoad>
Excerpted from github.com/olafhartong/sysmon-modular.
Also consider analyzing other related events, such as the creation of DLL files in unexpected locations as well as the execution of abnormal applications (potentially being used to load malicious payloads).
DLL side-loading may be challenging to prevent as it abuses legitimate system features, but consider keeping software up-to-date as a means to minimize the presence of side-loading vulnerabilities. System antivirus may also remediate malicious payloads before they are loaded.