Rule of the Week: Evasive DLL Loading / AWL Bypass

Today, “Possible Evasive DLL Loading / AWL Bypass (via cmdline)” rule released by the SOC Prime team fell into our column “Rule of the Week“: https://tdm.socprime.com/tdm/info/WWzSUxrG5vxv/ASH-E3IBjwDfaYjKRX9L/?p=1

As you know, application whitelisting (AWL) is a proactive approach that allows only pre-approved and specified programs to run. Any other program not whitelisted is blocked by default, so AWL is often used to block malware from entering and executing on endpoints within a network. However, this is not a panacea, and attackers are constantly looking for and finding ways to bypass AWL solutions. The rule from the SOC Prime Team is designed specifically to detect the malicious activity on hosts leading to evasive DLL loading or AWL bypass. It helps to uncover when adversaries abuse registry COM CSLIDs to bypass application whitelisting or insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Persistence, Defense Evasion, Execution

Techniques: Component Object Model Hijacking (T1122), Rundll32 (T1085)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.