Blu3_Team

I have no qualms about boiling a small ocean if it means detecting malware. I wrote earlier about some individual occurrences of malware that use legitimate system32 executables in non-standard paths for DLL side-loading. A colleague asked why we couldn't do all the checks at one time so we worked on a method to do just that. It turns out that there are over 600 executables in system32. The first thing I tried was just to put them all into a big search and be done with it. You can try it if you want but I had no luck getting Splunk to run a search string that large. So we converted the list to a csv. To get the filenames from the inputlookup to expand to the search we want I had to use the following format and a header value of "process_path". You'll see the reason for the header and the *\ in a little bit. process_path *\agentservice.exe *\aitstatic.exe *\ald.exe The way inputlookup is expanded the search string will become: (process_path=*\\agentservice.ex...

I observed a couple of malware samples that did multiple dll side-loading by copying (assumed) system32 exes to a random path in appdata\roaming and dropping their own malicious dll. sigverif.exe -> version.dll rdpinit.exe netplwiz.exe -> netplwiz.dll applysettingstemplatecatalog.exe -> activeds.dll computerdefaults.exe msdt.exe -> duser.dll utilman.exe -> dui70.dll Assuming you have EDR data in Splunk here is a simple detection example to look for the executable and negate the normal path. index=edr msdt.exe process_path=*\\msdt.exe process_path!=c:\\windows\\system32\\* There are some other paths to negate as well but I want to keep it simple here. Related post to detect ANY system32 executable running from a non-standard path. Mitre ATT&CK ID T1073 References: http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/