KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Windows Side Loading DLL Attacks

Query

// Detecting Windows Side-Loading DLL attacks
// https://x.com/0gtweet/status/1827991604918890968
// Grzegorz Tworek recently highlighted on X that the Windows command line tool licensingdiag.exe poses a potential security risk. This tool, categorized as a “living off the land” utility, can be exploited for side-loading DLL attacks. If a threat actor gains local administrative rights, they can modify the registry under HKLM to side-load DLLs using licensingdiag.exe. To address this, I have developed a KQL detection rule to identify such side-loading DLL attacks. You can find this rule in my GitHub repository.

let DLLLoaded =
DeviceEvents
| where Timestamp > ago(1h)
| where ActionType == @"DriverLoad"
| where FileName endswith ".dll"
| distinct FileName;
DeviceRegistryEvents
| where ActionType == @"RegistryKeyCreated" or ActionType == @"RegistryValueSet"
| where RegistryKey has_any(DLLLoaded)

// MITRE ATT&CK MAPPING
// Technique: T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions
// Technique: T1112 - Modify Registry
// Technique: T1055.001 - Process Injection: Dynamic-link Library Injection

Explanation

This KQL query is designed to detect potential Windows side-loading DLL attacks, specifically focusing on the misuse of the licensingdiag.exe tool. Here's a simplified breakdown of what the query does:

  1. Identify Loaded DLLs:

    • The query first looks at device events from the past hour to find instances where a DLL (Dynamic Link Library) file was loaded. It filters these events to only include those with the action type "DriverLoad" and where the file name ends with ".dll". It then creates a distinct list of these DLL file names.

  2. Check Registry Modifications:

    • The query then examines device registry events to find cases where registry keys were created or values were set. It specifically looks for registry keys that match any of the DLLs identified in the first step.

  3. Purpose:

    • The goal is to detect if any DLLs have been side-loaded by checking if they are referenced in recent registry modifications. This is a common technique used by attackers to persist malicious code on a system.

  4. MITRE ATT&CK Mapping:

    • The query is mapped to specific MITRE ATT&CK techniques, indicating that it is designed to detect behaviors associated with:
      • Boot or Logon Autostart Execution via Kernel Modules and Extensions (T1547.006)
      • Registry modifications (T1112)
      • Process Injection via DLL Injection (T1055.001)

In summary, this query helps identify suspicious DLL side-loading activities by correlating DLL loads with recent registry changes, which could indicate an attempt to exploit the licensingdiag.exe tool for malicious purposes.

Details

Steven Lim profile picture

Steven Lim

Released: October 3, 2024

Tables

DeviceEventsDeviceRegistryEvents

Keywords

DeviceEventsRegistryFileNameTimestampActionTypeRegistryKey

Operators

let|where>ago()==endswithdistinctorhas_any

Actions