Query Details
Detect Potential DLL Hijacking Cases
Query
**Detect Potential DLL Hijacking cases** Hijacklibs.net is a project that provides an curated list of DLL Hijacking candidates.As mentioned in their website: "DLL Hijacking is, in the broadest sense, tricking a legitimate/trusted application into loading an arbitrary DLL. Defensive measures such as AV and EDR solutions may not pick up on this activity out of the box, and allow-list applications such as AppLocker may not block the execution of the untrusted code. There are numerous examples of threat actors that have been observed to leverage DLL Hijacking to achieve their objectives." Based on that list, I decided to look for the cases where the SHA256 of the DLL’s presents on the DeviceImageLoadEvents (table that contains information about DLL loading events) , is listed as a candidate into the mentioned site and the KQL Query show the URL’s with the corresponding research to understand the Threat. ``` let dll_hijacking_source = externaldata (Name:string,Author:string,Created:string,Vendor:string,CVE:string,ExpectedLocations:string,VulnerableExecutablePath:string,VulnerableExecutableType:string,VulnerableExecutableAutoElevated:string,VulnerableExecutablePrivilegeEscalation:string,VulnerableExecutableCondition:string,VulnerableExecutableSHA256:string,VulnerableExecutableEnvironmentVariable:string,Resources:string,Acknowledgements:string,URL:string) [@"https:// hijacklibs.net/api/hijacklibs.csv"] with (format="csv", ignoreFirstRecord=True); DeviceImageLoadEvents | join kind=inner ( dll_hijacking_source) on $left.SHA256 == $right.VulnerableExecutableSHA256 | where isnotempty( VulnerableExecutableSHA256) | summarize by DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA256,VulnerableExecutableSHA256,Resources, Acknowledgements,URL, FileSize, InitiatingProcessAccountName,InitiatingProcessAccountDomain, InitiatingProcessAccountUpn, InitiatingProcessIntegrityLevel, InitiatingProcessFileName, InitiatingProcessVersionInfoCompanyName, Name, Author, VulnerableExecutableType, VulnerableExecutableEnvironmentVariable ```
Explanation
This KQL query is designed to detect potential DLL Hijacking cases by comparing DLL loading events on devices with a curated list of known DLL Hijacking candidates from Hijacklibs.net. Here's a simplified summary of what the query does:
-
Load External Data: It imports a list of known DLL Hijacking candidates from a CSV file hosted on Hijacklibs.net. This list includes various details about each candidate, such as the name, author, expected locations, SHA256 hash, and a URL for more information.
-
Join Data: It then joins this list with the
DeviceImageLoadEventstable, which contains information about DLL loading events on devices. The join is performed based on the SHA256 hash of the DLLs. -
Filter and Summarize: The query filters out any entries where the SHA256 hash is empty and summarizes the results. The summary includes details such as the device ID, device name, action type, file name, folder path, SHA256 hash, and additional information from the external data source like the URL for further research.
In essence, this query helps identify instances where potentially malicious DLLs (as identified by their SHA256 hash) have been loaded on devices, providing a way to investigate and understand potential DLL Hijacking threats.
Details
Sergio Albea
Released: August 20, 2024
Tables
Keywords
Operators