|
| 1 | +name: DLL loaded via LdrpKernel32 overwrite |
| 2 | +id: 56739eda-210f-4a30-a114-d55ca60976df |
| 3 | +version: 1.0.0 |
| 4 | +description: | |
| 5 | + Detects attempts to bypass the standard NTDLL bootstrap process by loading a malicious DLL early through hijacking. |
| 6 | + The malicious DLL, containing attacker-controlled code, is loaded in place of the legitimate kernel32 DLL. |
| 7 | +labels: |
| 8 | + tactic.id: TA0005 |
| 9 | + tactic.name: Defense Evasion |
| 10 | + tactic.ref: https://attack.mitre.org/tactics/TA0005/ |
| 11 | + technique.name: Hijack Execution Flow |
| 12 | + technique.ref: https://attack.mitre.org/techniques/T1574/ |
| 13 | + subtechnique.id: T1574.001 |
| 14 | + subtechnique.name: DLL Search Order Hijacking |
| 15 | + subtechnique.ref: https://attack.mitre.org/techniques/T1574/001/ |
| 16 | +references: |
| 17 | + - https://github.com/rbmm/LdrpKernel32DllName |
| 18 | + - https://www.elastic.co/security-labs/peeling-back-the-curtain-with-call-stacks |
| 19 | + |
| 20 | +condition: > |
| 21 | + (load_unsigned_or_untrusted_dll) and thread.callstack.symbols imatches ('*!BaseThreadInitThunk*') |
| 22 | + and |
| 23 | + not |
| 24 | + foreach(thread._callstack, $frame, |
| 25 | + $frame.symbol imatches ('?:\\Windows\\System32\\kernel32.dll!BaseThreadInitThunk*', |
| 26 | + '?:\\Windows\\SysWOW64\\kernel32.dll!BaseThreadInitThunk*', |
| 27 | + '?:\\Windows\\WinSxS\\*\\kernel32.dll!BaseThreadInitThunk*', |
| 28 | + '?:\\Windows\\WinSxS\\Temp\\PendingDeletes\\*!BaseThreadInitThunk*', |
| 29 | + '\\Device\\*\\Windows\\*\\kernel32.dll!BaseThreadInitThunk*')) and |
| 30 | + not image.path imatches '?:\\Windows\\assembly\\NativeImages_*\\System.Numerics.ni.dll' |
| 31 | +action: |
| 32 | + - name: kill |
| 33 | + |
| 34 | +output: > |
| 35 | + DLL %image.path loaded via LdrpKernel32 overwrite evasion by process %ps.exe |
| 36 | +severity: high |
| 37 | + |
| 38 | +min-engine-version: 2.4.0 |
0 commit comments