|
DLL injection is a sophisticated and powerful method to stealthily execute malicious code. Here, Malware will attach to an existing (legitimate) process and load its own DLL into that process. The malicious code inside the DLL is then executed within the context of that process. DLLs can either be actively injected, passively loaded via Windows's AppInit registry settings, take advantage of the search order or by other means. |
DLL injection/loading has the following benefits for the attacker:
1.Since no new process is launched, detection methods that look for new processes will not generate alerts
2.Operating within the context of another process, may give the malware access to sensitive information or additional privileges
3.DLL injection/loading may also give the malware persistence, if the malignant DLL is loaded automatically with the process
|
Security measures, such as code signing, can help mitigate this attack vector, but detecting malicious code in DLLs typically requires advanced tools and techniques, such as the Sysinternals Sysmon utility. |
EventSentry Benefits |
||
AppInit The Validation Script "Threat Intel: Persistence - AppInit DLLs" can identify insecure AppInit settings. |
||
|
||
Anomaly Detection with Sysmon DLL injection can be detected by combining Sysmon's "ImageLoad" (event id 7) feature with EventSentry's event log anomaly detection functionality. By establishing a baseline of known DLLs (includes the full DLL path) which any given process loads, EventSentry can then alert on new DLLs which were previously not loaded by the process. |
||
Detecting unsigned DLLs with Sysmon Potentially malicious DLLs can be detected by combining Sysmon's "ImageLoad" (event id 7) feature with EventSentry's advanced event log content filter rules, which can verify the digital signature of a DLL file. An unsigned DLL that is loaded into a signed process can be a sign of an infection. |
||
|
||
