Create signature for DLL sideloading

[kevross33]

Initial signature for one behaviour that appears in some sideloading cases. For this to trigger either zip_compound needs to be used triggering the correct file that then sideloads the DLL or within the chain naturally (i.e. a loader/malicious script/doc etc. pulls down the elements needed itself and sideloads it.

Some other sigs will need investigated for anomalies on this which I am looking into but this should detect some cases.

APT28 sideload sample (dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027)

[gemini-code-assist]

Summary of Changes

Hello @kevross33, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new security signature designed to identify and flag instances of DLL sideloading or search order hijacking. By monitoring DLL load notifications and checking the origin directory against a whitelist of legitimate system paths, the signature aims to enhance the detection of sophisticated malware techniques, thereby strengthening the platform's ability to identify malicious behavior.

Highlights

• New Signature for DLL Sideloading: A new Cuckoo signature, DLLLoadSuspiciousDirectory, has been added to detect malicious DLL loading from non-standard locations.
• Suspicious Directory Detection: The signature identifies DLLs loaded from directories that are not part of a predefined whitelist of legitimate Windows system paths, indicating potential sideloading or search order hijacking.
• API Monitoring: The detection mechanism specifically monitors DllLoadNotification API calls to identify when a DLL is loaded and subsequently checks its origin.
• Exclusion List: An internal list of common, legitimate Windows directories (e.g., c:\windows\system32\, c:\program files\) is used to prevent false positives for standard DLL loads.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new signature to detect potential DLL sideloading by checking for DLLs loaded from suspicious directories. The implementation is a good start. My review includes a suggestion to simplify the code by removing redundant logic and to make the signature's report more informative for analysts.

[gemini-code-assist]

This is a good signature. I have a few suggestions to simplify the code and make the report more informative:

1. The if call["api"] == "DllLoadNotification": check in on_call is redundant because filter_apinames is set. This check can be removed.
2. The report message would be more useful for analysts if it included the dllname.
3. The self.ret flag is redundant. The signature's status can be determined by checking if self.data is populated in on_complete.

Here is a refactored version of the class with these changes applied.

class DLLLoadSuspiciousDirectory(Signature):
    name = "dllload_suspicious_directory"
    description = "A DLL was loaded from a suspicious directory"
    severity = 2
    confidence = 50
    categories = ["side loading"]
    authors = ["Kevin Ross"]
    minimum = "1.3"
    evented = True
    enabled = True
    ttps = ["T1574"]  # MITRE v6,7,8
    mbcs = ["F0015"]

    def __init__(self, *args, **kwargs):
        Signature.__init__(self, *args, **kwargs)
        # Any exclusions added to this list needs to be in lower format.
        self.ignore_directories = [
            "c:\\windows\\system32\\",
            "c:\\windows\\syswow64\\",
            "c:\\windows\\",
            "c:\\windows\\winsxs\\",
            "c:\\program files\\",
            "c:\\program files (x86)\\",
            "c:\\programdata\\",
        ]

    filter_apinames = set(["DllLoadNotification"])

    def on_call(self, call, process):
        if not call["status"]:
            return None

        notificationreason = self.get_argument(call, "NotificationReason")
        dllname = self.get_argument(call, "DllName")
        if notificationreason == "load":
            pname = process["process_name"].lower()
            dllnamelower = dllname.lower()
            is_ignored = any(dllnamelower.startswith(d) for d in self.ignore_directories)
            if not is_ignored:
                self.mark_call()
                self.data.append(
                    {
                        "suspicious_dll_load": (
                            "Process %s loaded a DLL '%s' from a suspicious directory, "
                            "this is possibly indicative of DLL side loading/search order hijacking"
                        )
                        % (pname, dllname)
                    }
                )

    def on_complete(self):
        return bool(self.data)

[bartblaze]

Looks like a great sig @kevross33 😄