Today, “Possible Evasive DLL Loading / AWL Bypass (via cmdline)” rule released by the SOC Prime team fell into our column “Rule of the Week“: https://tdm.socprime.com/tdm/info/WWzSUxrG5vxv/ASH-E3IBjwDfaYjKRX9L/?p=1
As you know, application whitelisting (AWL) is a proactive approach that allows only pre-approved and specified programs to run. Any other program not whitelisted is blocked by default, so AWL is often used to block malware from entering and executing on endpoints within a network. However, this is not a panacea, and attackers are constantly looking for and finding ways to bypass AWL solutions. The rule from the SOC Prime Team is designed specifically to detect the malicious activity on hosts leading to evasive DLL loading or AWL bypass. It helps to uncover when adversaries abuse registry COM CSLIDs to bypass application whitelisting or insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence.
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Tactics: Persistence, Defense Evasion, Execution
Techniques: Component Object Model Hijacking (T1122), Rundll32 (T1085)