detection.wiki

Detection rules › Splunk

Windows Executable in Loaded Modules

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic identifies instances where executable files (.exe) are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This method leverages Sysmon EventCode 7 to track unusual module loading behavior, which is significant as it deviates from the norm of loading .dll files. This activity is crucial for SOC monitoring because it can indicate the presence of malware like NjRAT, which uses this technique to load malicious modules. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and further compromise the host system.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1129 Shared Modules

Event coverage

ProviderEvent IDTitle
Sysmon7Image loaded

Stages and Predicates

Stage 1: search

search EventCode=7 ImageLoaded!="*.dll" Signed!=true

Stage 2: fillnull

fillnull

Stage 3: stats

stats BY Image, ImageLoaded, dest, loaded_file, loaded_file_path, original_file_name, process_exec, process_guid, process_hash, process_id, process_name, process_path, service_dll_signature_exists, service_dll_signature_verified, signature, Signed, signature_id, user_id, vendor_product

Stage 4: search

search

Stage 5: search

search

Stage 6: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 7 corpus 35 (splunk 35)
ImageLoadedne
  • *.dll
Signedne
  • true

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.