Sysmon Alert Details
Alert ID: SYSMON-DLL-HIJACK-1574-7842
Alert Time: 2024-02-17 16:30:15 EST
Severity: HIGH (88/100)
Source: Sysmon (Event ID 7 – Image Loaded)
Rule: “DLL Loaded from Unusual Path by Trusted Process”
MITRE ATT&CK: T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking
Alert Details:
Event ID: 7 (Image Loaded)
Time: 16:25 EST
Host: APP-SRV-045 (Application Server)
Process: sqlservr.exe (Microsoft SQL Server – PID: 1245)
User: NETWORK SERVICE
Image Loaded:
– Path: C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\version.dll
– Expected Path: C:\Windows\System32\version.dll
– Hashes: SHA256=c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2
Anomaly Detection:
– version.dll is a legitimate Windows DLL, but loaded from SQL Server directory
– SQL Server should load version.dll from System32
– DLL was created 5 minutes prior (16:20 EST)
– Created by: powershell.exe (running as NETWORK SERVICE)
Additional Sysmon Events:
– Event ID 11 (FileCreate): C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\version.dll
– Event ID 1 (ProcessCreate): powershell.exe downloading file
DLL Analysis:
– Malicious DLL masquerading as version.dll
– Exports legitimate version.dll functions + additional malicious code
– When loaded by sqlservr.exe, connects to 194.165.16[.]89:443
– Establishes persistence in SQL Server process
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed DLL search order hijacking
2. Process Analysis
Identify process loading malicious DLL
CrowdStrike
sqlservr.exe loaded version.dll from Binn folder
3. DLL Analysis
Analyze version.dll
CrowdStrike Sandbox
DLL contains backdoor; connects to C2
4. Immediate Action
Stop SQL Server service, remove DLL
Services, PowerShell
Service stopped; malicious DLL deleted
5. Network Block
Block C2 communication
Palo Alto Firewall
C2 IP blocked
6. Threat Hunting
Check for other DLL hijacks
CrowdStrike, Sysmon
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-089
Summary: T1574 – DLL Search Order Hijacking in SQL Server
Status: RESOLVED
Resolution: MALICIOUS – DLL Removed
Priority: P2 – MEDIUM
Labels: T1574, dll-hijacking, execution-flow, sql-server, sysmon
Components: Endpoint-Security, Application-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 7 (Image Loaded).
Alert: “DLL Loaded from Unusual Path by Trusted Process”.
Host: APP-SRV-045 (Application Server).
Process: sqlservr.exe (Microsoft SQL Server).
Time: 2024-02-17 16:30 EST.
Technique: MITRE ATT&CK T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking.
2. Technical Analysis:
Attack Chain:
16:15 – Attacker gains access via compromised service account
16:16 – PowerShell downloads malicious version.dll from 185.143.221[.]89
16:20 – DLL saved to SQL Server Binn directory
16:21 – SQL Server restarts (triggered by attacker)
16:22 – sqlservr.exe starts, searches for version.dll
16:23 – Finds malicious version.dll in Binn directory (before System32)
16:23 – Malicious DLL loads, connects to C2
16:30 – Sysmon detects unusual DLL load
DLL Search Order Hijacking:
Legitimate DLL: version.dll (Windows system file)
Hijacked Path: C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\
Why It Works: Windows searches application directory before System32
Effect: SQL Server loads attacker’s DLL instead of legitimate one
Malicious DLL Analysis:
File: version.dll (SHA256: c3d4e5f6…)
Exports: All legitimate version.dll exports (to avoid errors)
Backdoor: When loaded, it:
Creates hidden thread in sqlservr.exe
Connects to C2 at 194.165.16[.]89:443
Waits for commands (execute, exfiltrate, pivot)
C2 Communication:
Established at 16:23
Beacon every 60 seconds
No data exfiltration before containment
3. Investigation Findings:
Timeline:
16:15 – Attacker access
16:16-16:20 – DLL downloaded
16:21 – SQL Server restarted
16:23 – DLL loads, C2 connects
16:30 – Sysmon alert
16:32 – SOC investigates
16:35 – Service stopped, DLL deleted
Indicators of Compromise (IoCs):
Files:
– C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\version.dll (SHA256: c3d4e5f6…)
Network:
– C2: 194.165.16[.]89:443
– Download URL: http://185.143.221[.]89/version.dll
Account:
– Compromised service account (svc_sql)
4. Containment Actions:
Immediate Actions:
Stopped SQL Server service.
Deleted malicious version.dll.
Restarted SQL Server (loads legitimate DLL from System32).
Blocked C2 IP at firewall.
Service Account Remediation:
Identified compromised service account (svc_sql).
Reset password.
Audited account activity.
Host Remediation:
Full scan (no other malware).
Verified SQL Server functioning normally.
5. Root Cause Analysis:
Primary Cause: Compromised service account allowed DLL upload.
Contributing Factors:
SQL Server directory writable by service account (over-privileged).
DLL search order hijacking possible (no secure DLL loading).
No file integrity monitoring for application directories.
6. Business Impact:
Operational Impact: SQL Server offline for 15 minutes.
Data Exposure: None (C2 contained).
7. Remediation & Prevention:
Completed Actions:
Malicious DLL removed.
Service account secured.
C2 blocked.
Technical Controls Enhanced:
Restricted write permissions on application directories.
Enabled Safe DLL Search Mode via GPO.
Implemented application whitelisting (CrowdStrike Falcon Prevent).
Created Sysmon alert for any DLL loads from non-standard paths.
8. Conclusion:
An attacker used a compromised service account to plant a malicious DLL in the SQL Server directory, hijacking the DLL search order. The malicious DLL loaded when SQL Server restarted and connected to C2. Sysmon detected the anomalous DLL load, enabling rapid removal.
Closure Rationale: Malicious DLL removed; service account secured; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-17 17:30 EST