From 336f2967839c40599a08d15a22e05d4a7c2f78f1 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Wed, 1 Jul 2026 18:20:52 +0200 Subject: [PATCH] feat(rules): Add Untrusted DLL loaded from unusual directory rule Identifies trusted, digitally signed executables loading unsigned or untrusted Dynamic Link Libraries (DLLs) from user-writable or otherwise uncommon filesystem locations. Adversaries frequently abuse these directories to stage malicious libraries that are subsequently loaded by legitimate applications, allowing arbitrary code to execute within the context of a trusted process while reducing the likelihood of detection. --- ...sted_dll_loaded_from_unusual_directory.yml | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 rules/defense_evasion_untrusted_dll_loaded_from_unusual_directory.yml diff --git a/rules/defense_evasion_untrusted_dll_loaded_from_unusual_directory.yml b/rules/defense_evasion_untrusted_dll_loaded_from_unusual_directory.yml new file mode 100644 index 000000000..58fcc9de2 --- /dev/null +++ b/rules/defense_evasion_untrusted_dll_loaded_from_unusual_directory.yml @@ -0,0 +1,91 @@ +name: Untrusted DLL loaded from unusual directory +id: 57372a7a-7f7a-4202-80a7-12888589414a +version: 1.0.0 +description: | + Identifies trusted, digitally signed executables loading unsigned or untrusted + Dynamic Link Libraries (DLLs) from user-writable or otherwise uncommon filesystem + locations. + Adversaries frequently abuse these directories to stage malicious libraries that + are subsequently loaded by legitimate applications, allowing arbitrary code to + execute within the context of a trusted process while reducing the likelihood of + detection. +labels: + tactic.id: TA0005 + tactic.name: Defense Evasion + tactic.ref: https://attack.mitre.org/tactics/TA0005/ + technique.id: T1574 + technique.name: Hijack Execution Flow + technique.ref: https://attack.mitre.org/techniques/T1574/ +references: + - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/ + - https://www.ibm.com/think/x-force/windows-features-dll-sideloading + +condition: > + load_dll and + ps.exe != '' and dir(dll.path) ~= dir(ps.exe) and + ps.signature.trusted = true and (dll.signature.exists = false or dll.signature.trusted = false) and + dll.path imatches + ( + '?:\\Windows\\Tasks\\*', + '?:\\Windows\\System32\\Tasks\\*', + '?:\\PerfLogs\\*', + '?:\\$Recycle.Bin\\*', + '?:\\ProgramData\\*', + '?:\\Users\\Public\\*', + '?:\\Users\\*\\AppData\\Roaming\\*', + '?:\\Users\\*\\Documents\\*', + '?:\\Users\\*\\Pictures\\*', + '?:\\Users\\*\\Music\\*', + '?:\\Users\\*\\Videos\\*', + '?:\\Windows\\AppReadiness\\*', + '?:\\Windows\\Prefetch\\*', + '?:\\Windows\\Fonts\\*', + '?:\\Windows\\INF\\*', + '?:\\Windows\\tracing\\*', + '?:\\Windows\\Help\\*', + '?:\\Windows\\csc\\*', + '?:\\Windows\\Web\\*', + '?:\\Windows\\Servicing\\*', + '?:\\Windows\\Boot\\*', + '?:\\Windows\\Resources\\*', + '?:\\Windows\\Provisioning\\*', + '?:\\Windows\\PrintDialog\\*', + '?:\\Windows\\SchCache\\*', + '?:\\Windows\\Cursors\\*', + '?:\\Windows\\debug\\*', + '?:\\Windows\\Containers\\*', + '?:\\Windows\\ShellComponents\\*', + '?:\\Windows\\ShellExperiences\\*', + '?:\\Windows\\Setup\\*', + '?:\\Windows\\Migration\\*', + '?:\\Windows\\PLA\\*', + '?:\\Windows\\Vss\\*', + '?:\\Windows\\WaaS\\*', + '?:\\Windows\\ImmersiveControlPanel\\*', + '?:\\Windows\\PolicyDefinitions\\*', + '?:\\Windows\\Globalization\\*', + '?:\\Windows\\appcompat\\*', + '?:\\Windows\\apppatch\\*', + '?:\\Windows\\addins\\*', + '?:\\Windows\\SystemTemp\\*', + '?:\\Windows\\WinSxS\\*', + '?:\\Windows\\TextInput\\*', + '?:\\Windows\\TAPI\\*', + '?:\\Windows\\Prefetch\\*', + '?:\\Intel\\*', + '?:\\AMD\\Temp\\*', + '?:\\Windows\\hp\\*', + '?:\\Windows\\RemotePackages\\*', + '?:\\Windows\\ServiceProfiles\\*', + '?:\\Windows\\dot3svc\\*', + '?:\\Windows\\CbsTemp\\*', + '?:\\Windows\\LiveKernelReports\\*', + '?:\\Windows\\SoftwareDistribution\\*', + '?:\\Windows\\ServiceState\\*', + '?:\\Windows\\SKB\\*', + '?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*' + ) + +severity: high + +min-engine-version: 3.0.0