detection.wiki

Detection rules › Splunk

Windows Potential AppDomainManager Hijack Artifacts Creation

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic detects the creation of an .exe file along with its corresponding .exe.config and a .dll in the same directory, which is a common pattern indicative of potential AppDomain hijacking or CLR code injection attempts. This behavior may signal that a malicious actor is attempting to load a rogue assembly into a legitimate application's AppDomain, allowing code execution under the context of a trusted process.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1574.014 Hijack Execution Flow: AppDomainManager
Privilege EscalationT1574.014 Hijack Execution Flow: AppDomainManager
Defense EvasionT1574.014 Hijack Execution Flow: AppDomainManager

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: tstats

tstats WHERE Filesystem.action="created" Filesystem.file_name IN ("*.dll", "*.exe", "*.exe.config") Filesystem.file_path IN ("*Recycle.bin*", "*\\PerfLogs\\*", "*\\Users\\Administrator\\Music\\*", "*\\Users\\Default\\*", "*\\Windows\\Media\\*", "*\\Windows\\repair\\*", "*\\Windows\\servicing\\*", "*\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\windows\\fonts\\*") BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product

Stage 2: search

search

Stage 3: stats

stats BY dest, process_guid

Stage 4: eval

eval ... using (file_name)

Stage 5: eval

eval ... using (file_name)

Stage 6: eval

eval ... using (file_name)

Stage 7: eval

eval ... using (file_name)

Stage 8: eval

eval ... using (file_name)

Stage 9: eval

eval ... using (exe_files)

Stage 10: eval

eval ... using (config_files)

Stage 11: mvexpand

mvexpand

Stage 12: mvexpand

mvexpand

Stage 13: eval

eval ... using (file_name)

Stage 14: where

where config_present=1 dll_present=1 exe_base_names= exe_present=1 file_count>=3

Stage 15: search

search

Stage 16: search

search

Stage 17: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Filesystem.actioneq
  • "created" corpus 3 (splunk 3)
Filesystem.file_namein
  • "*.dll" corpus 6 (splunk 6)
  • "*.exe" corpus 7 (splunk 7)
  • "*.exe.config"
Filesystem.file_pathin
  • "*Recycle.bin*" corpus 2 (splunk 2)
  • "*\\PerfLogs\\*" corpus 2 (splunk 2)
  • "*\\Users\\Administrator\\Music\\*" corpus 2 (splunk 2)
  • "*\\Users\\Default\\*" corpus 2 (splunk 2)
  • "*\\Windows\\Media\\*" corpus 2 (splunk 2)
  • "*\\Windows\\repair\\*" corpus 2 (splunk 2)
  • "*\\Windows\\servicing\\*" corpus 3 (splunk 3)
  • "*\\temp\\*"
  • "*\\users\\public\\*"
  • "*\\windows\\debug\\*"
  • "*\\windows\\fonts\\*"
config_presenteq
  • 1
dll_presenteq
  • 1
exe_presenteq
  • 1
file_countge
  • 3