DLL Hijacking: Loading from an Unusual Directory

Group by: FileName
Author: Cyb3rMonk
Source: github.com/Cyb3r-Monk/Threat-Hunting-and-Detection

Below query detects DLL Hijacking scenario of planting a DLL having an invalid signature in a different folder and making an application load it instead of the original DLL.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1574.001` Hijack Execution Flow: DLL, `T1574.002` Hijack Execution Flow: DLL Side-Loading, `T1574.007` Hijack Execution Flow: Path Interception by PATH Environment Variable, `T1574.008` Hijack Execution Flow: Path Interception by Search Order Hijacking, `T1574.009` Hijack Execution Flow: Path Interception by Unquoted Path
Stealth	`T1574.001` Hijack Execution Flow: DLL, `T1574.002` Hijack Execution Flow: DLL Side-Loading, `T1574.007` Hijack Execution Flow: Path Interception by PATH Environment Variable, `T1574.008` Hijack Execution Flow: Path Interception by Search Order Hijacking, `T1574.009` Hijack Execution Flow: Path Interception by Unquoted Path

Event coverage

Provider	Event/ActionType	Title
Sysmon	Event ID 7	Image loaded
Defender-DeviceImageLoadEvents	any	Image load (any)

Rule body kusto

// Author: Cyb3rMonk(https://twitter.com/Cyb3rMonk, https://mergene.medium.com)
// Link to original post: https://posts.bluraven.io/detecting-dll-hijacking-attacks-part-1-bdb354685164
// Description: This query detects DLL Hijacking scenario of planting a DLL having an invalid signature in a different
//              folder and making an application load it instead of the original DLL.
//
// Query parameters:
let WinDevices = materialize (
    DeviceInfo
    | where Timestamp > ago(8d)
    | where OSPlatform startswith_cs "Windows"
    | summarize make_set(DeviceId)
    )
    ;
// Get Filenames that have more than 1 SHA1 and loaded by the same process
let FileNames = materialize (
    DeviceImageLoadEvents
    | where Timestamp > ago(8d)
    | where DeviceId in (WinDevices)
    | where isnotempty(SHA1) and isnotempty(InitiatingProcessFileName)
    | project FileName = tolower(FileName), SHA1, Process = tolower(InitiatingProcessFileName), DLLDir = tolower(tostring(parse_path(FolderPath).DirectoryPath)), ProcessDir = tolower(tostring(parse_path(InitiatingProcessFolderPath).DirectoryPath))
    | where DLLDir in ("c:\\windows", "c:\\windows\\system32", "c:\\windows\\syswow64", "c:\\windows\\winsxs") or (not(DLLDir startswith "c:\\windows"))
    | where ProcessDir in ("c:\\windows", "c:\\windows\\system32", "c:\\windows\\syswow64", "c:\\windows\\winsxs") or ProcessDir has_all ("Users","AppData") or ProcessDir has_any ("Program Files")
    | summarize hint.strategy=shuffle dcount(SHA1) by FileName, Process
    | where dcount_SHA1 > 1
    )
    ;
// From the Filenames, get SHA1 values and filter Filename-SHA1 if its loaded by a few proecsses and on a few devices
// Also, get first and last time of load of the file(based on SHA1, filename)
let Files = materialize (
    FileNames
    | join hint.strategy=shuffle kind=rightsemi (
        DeviceImageLoadEvents
        | where Timestamp > ago(8d)
        | where DeviceId in (WinDevices)
        | project Timestamp, DeviceName, FileName = tolower(FileName), SHA1, Process = tolower(InitiatingProcessFileName), DLLDir = tolower(tostring(parse_path(FolderPath).DirectoryPath)), ProcessDir = tolower(tostring(parse_path(InitiatingProcessFolderPath).DirectoryPath))
        | where DLLDir in ("c:\\windows", "c:\\windows\\system32", "c:\\windows\\syswow64", "c:\\windows\\winsxs") or (not(DLLDir startswith "c:\\windows"))
        | where ProcessDir in ("c:\\windows", "c:\\windows\\system32", "c:\\windows\\syswow64", "c:\\windows\\winsxs") or ProcessDir has_all ("Users","AppData") or ProcessDir has_any ("Program Files")
        | summarize hint.strategy=shuffle dcount(DeviceName), Process = make_set(Process), FirstLoad = min(Timestamp), LastLoad = max(Timestamp), count() by FileName, SHA1
        | where dcount_DeviceName < 3 and array_length(Process) < 3
        | mv-expand Process to typeof(string)
        )
        on FileName, Process
    )
    ;
// Files: Potentially suspicious files seen in the last 8d
// Next step: suspicious file (based on SHA1) should have been loaded from a location different than the other files(SHA1s) based on the same filename
// The suspicious file should have also been loaded recently
// Get files loaded in the last day (from the potentially suspicious files)
let Hashes = materialize (
    Files
    | where FirstLoad > ago(1d)
    | join (
        DeviceFileCertificateInfo
        | where Timestamp > ago(30d)
        | where not(IsTrusted )
        | summarize arg_max(Timestamp,*) by SHA1
        | project-away Timestamp, DeviceId, DeviceName) on SHA1
    | project-away SHA11
    )
    ;
// Get all image loads of the files that have the same name with the files in Hashes table(Hashes table only has the suspicious hash with its name from the last day)
Hashes
| join hint.strategy=shuffle kind=inner (
    DeviceImageLoadEvents
    | where Timestamp > ago(8d)
    | where DeviceId in (WinDevices)
    | project Timestamp, DeviceName, SHA1, FolderPath, FileName = tolower(FileName), Process = tolower(InitiatingProcessFileName), DLLDirectory = strcat(tolower(tostring(parse_path(FolderPath).DirectoryPath)), '\\'), ProcessDir = tolower(tostring(parse_path(InitiatingProcessFolderPath).DirectoryPath))
    | where DLLDirectory  in ("c:\\windows\\", "c:\\windows\\system32\\", "c:\\windows\\syswow64\\", "c:\\windows\\winsxs\\") or (not(DLLDirectory startswith "c:\\windows\\"))
    | where ProcessDir in ("c:\\windows", "c:\\windows\\system32", "c:\\windows\\syswow64", "c:\\windows\\winsxs") or ProcessDir has_all ("Users","AppData") or ProcessDir has_any ("Program Files")
    | extend NormalizedDLLDirectory = replace(@'(c|d):\\users\\.*?\\', @'c:\\users\\userxx\\',DLLDirectory)
    | extend NormalizedDLLDirectory = replace(@'\{.*\}', @'\{xxxxxxxxxx\}',NormalizedDLLDirectory) //{fe07d7-d438-4dd9-bb0f-5721658f4f}
    | extend NormalizedDLLDirectory = replace(@'\\[A-Za-z0-9-]+-[A-Za-z0-9]+\\', @'\\xxxxxxxxxx\\',NormalizedDLLDirectory ) //\fe07d7-d438-4dd9-bb0f-5721658f4f\
    | extend NormalizedDLLDirectory = replace(@'\d+\.\d+\.\d+\.\d+', @'X.Y.Z.T',NormalizedDLLDirectory) // ex: Edge\Application\104.0.1293.47\process.exe
    | extend NormalizedDLLDirectory = replace(@'-\d+\.\d+\.\d+', @'-X.Y.Z',NormalizedDLLDirectory)
    | extend NormalizedDLLDirectory = replace(@'c:\\windows\\assembly\\nativeimages_v\d\.\d\.\d+_\d{2}\\.*', @'c:\\windows\\assembly\\nativeimages_vX.Y.Z_T\\oneoffewsubfolders\\', NormalizedDLLDirectory)
    | extend NormalizedDLLDirectory = replace(@'c:\\programdata\\.*?\\microsoft\\teams\\',@'c:\\programdata\\userxxx\\microsoft\\teams\\',NormalizedDLLDirectory)
    | summarize hint.strategy=shuffle by FileName, SHA1, NormalizedDLLDirectory
    )
    on FileName
    | project-rename OtherSHA1 = SHA11
    // Flag suspicious hash
    | extend Suspicious = iff(SHA1==OtherSHA1, 'TRUE', 'FALSE')
    // group properties of suspicious and previous files separately
    // we are looking for a filename that was loaded from previously unknown location
    | summarize hint.strategy=shuffle PreviousDirs = make_set_if(NormalizedDLLDirectory, Suspicious == 'FALSE'),
                NewDir = make_set_if(NormalizedDLLDirectory, Suspicious == 'TRUE'),
                PreviousSHA1s = make_set_if(OtherSHA1, Suspicious == 'FALSE'),
                NewSHA1 = make_set_if(SHA1, Suspicious == 'TRUE')
                by  FileName
    // compare the directory of the suspicous file with the previous directories
    | extend diff = set_difference(NewDir, PreviousDirs)
    // filter if the new(suspicious) file is loaded from previously known directory
    | where diff != '[]'
    | order by FileName
    // if you get lots of false positives, uncomment the below section.
    // this section compares the directory names in an alternative way.
    // | mv-expand NewDir to typeof(string), PreviousDirs to typeof(string)
    // | extend prev = split(PreviousDirs, '\\'), new = split(NewDir, '\\')
    // | extend diff_new = set_difference(new, prev)
    // | extend diff_count = array_length(diff_new)
    // | where diff_count > 1
    // | project-away prev, new, diff_count, diff
    // get file profile info and filter based on global prevalence
    | mv-expand NewSHA1 to typeof(string)
    | invoke FileProfile(NewSHA1, 1000)
    | where GlobalPrevalence < 200 or isempty(GlobalPrevalence)

Stages and Predicates

Let binding: `WinDevices`

let WinDevices = materialize (
    DeviceInfo
    | where Timestamp > ago(8d)
    | where OSPlatform startswith_cs "Windows"
    | summarize make_set(DeviceId)
    );

The stages below define let Hashes (the rule's main pipeline source).

Stage 1: `source`

Files

Stage 2: `where`

where ...

Stage 3: `join`

join (...)

Stage 4: `project-away`

project-away SHA11

Stage 5: `join`

join kind=inner (...)

Stage 6: `project-rename`

project-rename

Stage 7: `extend`

extend Suspicious

Suspicious =

ifSHA1 == "OtherSHA1"'TRUE'

else'FALSE'

Stage 8: `summarize`

summarize NewDir, NewSHA1, PreviousDirs, PreviousSHA1s by FileName

Stage 9: `extend`

extend diff

Stage 10: `where`

where diff !~ "[]"

Stage 11: `sort`

sort by FileName

Stage 12: `mv-expand`

mv-expand NewSHA1

Stage 13: `invoke`

invoke

The stages below run on Hashes (the outer pipeline).

Stage 14: `where`

where (isempty(GlobalPrevalence) or GlobalPrevalence < 200)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`DLLDirectory`	in	`c:\\windows\\` transforms: `cased` `c:\\windows\\system32\\` transforms: `cased` `c:\\windows\\syswow64\\` transforms: `cased` `c:\\windows\\winsxs\\` transforms: `cased`
`DeviceId`	in	`WinDevices` transforms: `cased`
`GlobalPrevalence`	is_null	(no value, null check)
`GlobalPrevalence`	lt	`200` transforms: `cased` corpus 4 (kusto 4)
`ProcessDir`	in	`c:\\windows` transforms: `cased` `c:\\windows\\system32` transforms: `cased` `c:\\windows\\syswow64` transforms: `cased` `c:\\windows\\winsxs` transforms: `cased`
`ProcessDir`	match	`AppData` `Program Files` `Users`
`diff`	ne	`[]` transforms: `cased` corpus 2 (kusto 2)

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`FileName`	`summarize`
`NewDir`	`summarize`
`NewSHA1`	`summarize`
`PreviousDirs`	`summarize`
`PreviousSHA1s`	`summarize`
`diff`	`extend`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

DLL Hijacking: Loading from an Unusual Directory

MITRE ATT&CK coverage

Event coverage

Rule body kusto

Stages and Predicates

Let binding: `WinDevices`

Stage 1: `source`

Stage 2: `where`

Stage 3: `join`

Stage 4: `project-away`

Stage 5: `join`

Stage 6: `project-rename`

Stage 7: `extend`

Stage 8: `summarize`

Stage 9: `extend`

Stage 10: `where`

Stage 11: `sort`

Stage 12: `mv-expand`

Stage 13: `invoke`

Stage 14: `where`

Indicators

Output fields

Keyboard shortcuts

Search operators

DLL Hijacking: Loading from an Unusual Directory

MITRE ATT&CK coverage

Event coverage

Rule body kusto

Stages and Predicates

Let binding: WinDevices

Stage 1: source

Stage 2: where

Stage 3: join

Stage 4: project-away

Stage 5: join

Stage 6: project-rename

Stage 7: extend

Stage 8: summarize

Stage 9: extend

Stage 10: where

Stage 11: sort

Stage 12: mv-expand

Stage 13: invoke

Stage 14: where

Indicators

Output fields

Let binding: `WinDevices`

Stage 1: `source`

Stage 2: `where`

Stage 3: `join`

Stage 4: `project-away`

Stage 5: `join`

Stage 6: `project-rename`

Stage 7: `extend`

Stage 8: `summarize`

Stage 9: `extend`

Stage 10: `where`

Stage 11: `sort`

Stage 12: `mv-expand`

Stage 13: `invoke`

Stage 14: `where`