Query Details
Detecting BYOVDLL Abuse
Query
// Detecting BYOVDLL Abuse // https://blog.scrt.ch/2024/08/09/ghost-in-the-ppl-part-1-byovdll/ // Today, I discovered an intriguing blog post from Orange CyberDefense titled “Ghost in the PPL Part 1: BYOVDLL.” The article presents a proof-of-concept and explores innovative techniques for loading arbitrary DLLs into LSASS and even dumping its memory. Previously, I developed several KQL queries to detect BYOVD abuse. By incorporating similar behavioral detection methods and tweaking digital signatures detection, the following KQL query could potentially detect BYOVDLL abuse if the attack methods align with those described in the proof-of-concept. let NewLPUnsignedDLL = DeviceFileEvents | where ActionType == "FileCreated" | where FileName endswith ".dll" | invoke FileProfile(SHA1,10000) | where GlobalPrevalence <= 150 | join kind=leftouter DeviceFileCertificateInfo on SHA1 | where SignatureState == "Unsigned" | distinct FileName; DeviceEvents | where ActionType == @"DriverLoad" | where FileName endswith ".dll" | join kind=leftouter DeviceFileCertificateInfo on SHA1 | where IsSigned == "1" | where FileName has_any(NewLPUnsignedDLL) // MITRE ATT&CK Mapping // T1036.005 - Masquerading: Match Legitimate Name or Location: // The query looks for DLL files that are unsigned and have low global prevalence, which could indicate masquerading as legitimate files. // T1070.004 - Indicator Removal on Host: File Deletion: // The detection of newly created DLL files and their profiling can help identify attempts to remove or replace legitimate files with malicious ones. // T1218.011 - Signed Binary Proxy Execution: Rundll32: // The query checks for driver load events involving DLLs, which could be used in proxy execution techniques. // T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: // Unsigned DLLs being loaded as drivers could indicate persistence mechanisms via autostart execution. // T1027 - Obfuscated Files or Information: // The use of unsigned DLLs with low prevalence might indicate attempts to obfuscate malicious activity.
Explanation
This KQL query is designed to detect potential abuse of the BYOVDLL (Bring Your Own Vulnerable DLL) technique, which involves loading arbitrary DLLs into the LSASS process and possibly dumping its memory. Here's a simplified breakdown of what the query does:
-
Identify New Unsigned DLLs:
- It looks for newly created DLL files.
- These DLLs are profiled to check their global prevalence.
- It filters out DLLs that are unsigned and have low global prevalence, suggesting they might be suspicious.
-
Monitor Driver Load Events:
- It then checks for events where DLLs are loaded as drivers.
- It ensures these DLLs are signed.
- It cross-references these DLLs with the previously identified suspicious unsigned DLLs.
-
MITRE ATT&CK Techniques:
- Masquerading (T1036.005): Detects DLLs that might be pretending to be legitimate by having low prevalence and being unsigned.
- Indicator Removal on Host (T1070.004): Identifies attempts to replace or delete legitimate files with malicious ones.
- Signed Binary Proxy Execution (T1218.011): Monitors for DLLs used in proxy execution techniques.
- Boot or Logon Autostart Execution (T1547.001): Detects unsigned DLLs loaded as drivers, which could indicate persistence mechanisms.
- Obfuscated Files or Information (T1027): Highlights the use of unsigned, low-prevalence DLLs as a potential sign of obfuscation.
In summary, the query aims to detect suspicious DLL activities that could indicate BYOVDLL abuse by focusing on unsigned, low-prevalence DLLs and monitoring their use in driver load events.
Details
Steven Lim
Released: September 6, 2024
Tables
DeviceFileEventsDeviceFileCertificateInfoDeviceEvents
Keywords
Devices
Operators
let|where==endswithinvoke<=joinkind=leftouterondistincthas_any