From ee3c6c4030d8e8a3a0f1ea6bc8ee469d85e0b2f9 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Thu, 2 Jul 2026 18:16:11 +0200 Subject: [PATCH] feat(rules): Add Untrusted DLL loaded from masqueraded Windows directory rule Identifies trusted process executables loading unsigned or untrusted Dynamic Link Libraries (DLLs) from filesystem paths that masquerade as legitimate Windows system directories. Attackers frequently create lookalike directory structures to disguise malicious payloads as legitimate operating system components. --- ...ded_from_masqueraded_windows_directory.yml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/privilege_escalation_untrusted_dll_loaded_from_masqueraded_windows_directory.yml diff --git a/rules/privilege_escalation_untrusted_dll_loaded_from_masqueraded_windows_directory.yml b/rules/privilege_escalation_untrusted_dll_loaded_from_masqueraded_windows_directory.yml new file mode 100644 index 000000000..f53009695 --- /dev/null +++ b/rules/privilege_escalation_untrusted_dll_loaded_from_masqueraded_windows_directory.yml @@ -0,0 +1,58 @@ +name: Untrusted DLL loaded from masqueraded Windows directory +id: a3899290-dc2e-405b-a6ea-cb1eb40c4769 +version: 1.0.0 +description: | + Identifies trusted process executables loading unsigned or untrusted + Dynamic Link Libraries (DLLs) from filesystem paths that masquerade as + legitimate Windows system directories. + Attackers frequently create lookalike directory structures to disguise + malicious payloads as legitimate operating system components. +labels: + tactic.id: TA0004 + tactic.name: Privilege Escalation + tactic.ref: https://attack.mitre.org/tactics/TA0004/ + technique.id: T1574 + technique.name: Hijack Execution Flow + technique.ref: https://attack.mitre.org/techniques/T1574/ +references: + - https://github.com/r3xmax/PhantomCtx + - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/ + +condition: > + load_dll and + ps.exe imatches ('?:\\Windows\\System32\\*.exe', '?:\\Windows\\SysWOW64\\*.exe', '?:\\Program Files*') and + (dll.signature.exists = false or dll.signature.trusted = false) and + dll.path imatches + ( + '?:\\*\\Windows\\System32\\*', + '?:\\*\\Windows\\SysWOW64\\*', + '?:\\*\\Windows\\WinSxS\\*', + '?:\\*\\Windows\\assembly\\*', + '?:\\*\\Windows\\Microsoft.NET\\*', + '*:\\Windows \\System32\\*', + '*:\\Windows \\SysWOW64\\*', + '*:\\ Windows*\\System32\\*', + '*:\\ Windows*\\SysWOW64\\*', + '*:\\Windows*\\assembly\\*', + '*:\\Windows*\\WinSxS\\*', + '*:\\ Windows*\\WinSxS\\*', + '*:\\ Windows*\\assembly\\*' + ) and + dll.path not imatches + ( + '?:\\Windows\\System32\\*', + '?:\\Windows\\SysWOW64\\*', + '?:\\Windows\\WinSxS\\*', + '?:\\Windows\\assembly\\*', + '?:\\Windows\\Microsoft.NET\\*', + '?:\\$WINDOWS.~BT\\*\\Windows\\System32\\migration\\*.dll', + '?:\\$WINDOWS.~BT\\*\\Windows\\SysWOW64\\migration\\*.dll', + '?:\\Windows.old\\WINDOWS\\System32\\DriverStore\\*.dll', + '?:\\$WinREAgent\\Scratch\\Mount\\Windows\\*.dll', + '?:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\*.dll', + '?:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\SysWOW64\\*.dll' + ) + +severity: high + +min-engine-version: 3.0.0