Sysmon Alert Details
Alert ID: SYSMON-SHARED-MODULES-1129-7842
Alert Time: 2024-02-14 15:30:45 EST
Severity: MEDIUM (68/100)
Source: Sysmon (Event ID 7 – Image Loaded)
Rule: “DLL Loaded from Unusual Path by System Process”
MITRE ATT&CK: T1129 – Shared Modules
Alert Details:
Event ID: 7 (Image Loaded)
Time: 15:28 EST
Host: FIN-WS-089
Process: svchost.exe (PID: 1245)
User: SYSTEM
Image Loaded:
– Path: C:\Users\Public\Documents\crypt32.dll
– Original: C:\Windows\System32\crypt32.dll (legitimate)
– Hashes: SHA256=a1b2c3d4e5f6…
Anomaly Detection:
– crypt32.dll is a legitimate Windows DLL, but loaded from C:\Users\Public\Documents
– svchost.exe should only load DLLs from System32
– DLL loaded 5 seconds after process start
– File created 2 minutes prior (15:26)
Additional Sysmon Events:
– Event ID 11 (FileCreate): C:\Users\Public\Documents\crypt32.dll created by powershell.exe
– Event ID 1 (ProcessCreate): powershell.exe with encoded command
– Event ID 3 (NetworkConnect): svchost.exe connection to 185.143.221[.]89:443
DLL Analysis (Sandbox):
– Malicious DLL masquerading as crypt32.dll
– Exports legitimate crypt32 functions + additional malicious code
– When loaded, decrypts and executes embedded payload
– Establishes C2 connection
Threat Intelligence:
– DLL hash matches known “DLL side-loading” campaign
– Technique: Place malicious DLL in search path, wait for legitimate process to load it
– Targets crypt32.dll commonly used by Windows processes
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed malicious DLL side-loading
2. Process Analysis
Identify process loading DLL
CrowdStrike Falcon
svchost.exe loaded malicious crypt32.dll
3. DLL Analysis
Analyze crypt32.dll
CrowdStrike Sandbox, Any.Run
DLL contains backdoor, connects to C2
4. Network Check
Check C2 communication
Firewall Logs, Zscaler
Connection to 185.143.221[.]89:443 established
5. Immediate Containment
Isolate host, block C2
CrowdStrike, Palo Alto
Host isolated; C2 IP blocked
6. Root Cause
Identify source of DLL
PowerShell Logs
PowerShell script downloaded DLL from pastebin
Jira Incident Report
Ticket: SOC-2024-073
Summary: T1129 – DLL Side-Loading via Malicious crypt32.dll
Status: RESOLVED
Resolution: MALICIOUS – DLL Removed
Priority: P2 – MEDIUM
Labels: T1129, shared-modules, dll-side-loading, sysmon, persistence
Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 7 (Image Loaded).
Alert: “DLL Loaded from Unusual Path by System Process”.
Host: FIN-WS-089 (Finance Department).
Time: 2024-02-14 15:30 EST.
Technique: MITRE ATT&CK T1129 – Shared Modules.
2. Technical Analysis:
Attack Chain:
15:20 – User clicks link in phishing email
15:21 – PowerShell downloads malicious script from pastebin
15:22 – Script downloads crypt32.dll to C:\Users\Public\Documents\
15:23 – Script modifies PATH environment variable to prioritize Public folder
15:25 – Legitimate svchost.exe starts (triggered by system)
15:26 – svchost.exe loads crypt32.dll from Public folder (side-loading)
15:27 – Malicious DLL connects to C2
DLL Analysis:
File: crypt32.dll (SHA256: a1b2c3d4e5f6…)
Masquerades as: Legitimate Windows Crypto API DLL
Exports: All legitimate crypt32 exports (to avoid errors) + hidden backdoor
Backdoor: When loaded, decrypts payload and establishes reverse shell to C2
C2 Communication:
IP: 185.143.221[.]89:443
Protocol: HTTPS with custom certificate
Traffic: Beacon every 60 seconds
User Activity:
User received email about “Finance Report”
Clicked link to “download report”
Believed it was legitimate
3. Investigation Findings:
Timeline:
15:20 – User clicks link
15:21-15:23 – PowerShell downloads and places DLL
15:25 – svchost.exe starts (automatic)
15:26 – DLL loads
15:27 – C2 connection
15:30 – Sysmon alerts
15:32 – SOC investigation begins
15:35 – Host isolated; C2 blocked
Scope:
Single host affected
C2 communicated for 3 minutes before block
No data exfiltration detected (DLP logs)
Indicators of Compromise (IoCs):
Files:
– C:\Users\Public\Documents\crypt32.dll (SHA256: a1b2c3d4e5f6…)
Network:
– C2: 185.143.221[.]89:443
Process:
– svchost.exe loading DLL from Public folder
4. Containment Actions:
Immediate Actions:
Isolated host via CrowdStrike.
Blocked C2 IP at firewall.
Deleted malicious DLL.
Restored PATH environment variable.
Host Remediation:
Full scan with CrowdStrike (no other malware).
No reimage needed (DLL removed).
User Remediation:
Password reset.
Phishing training assigned.
5. Root Cause Analysis:
Primary Cause: User clicked link in phishing email.
Contributing Factors:
PowerShell allowed to download and execute scripts.
PATH variable allowed user-writable directories.
No application control for DLLs.
6. Business Impact:
Operational Impact: Finance workstation offline for 3 hours.
Data Exposure: None confirmed.
7. Remediation & Prevention:
Completed Actions:
DLL removed.
Host cleaned.
User educated.
C2 blocked.
Technical Controls Enhanced:
Implemented DLL search order hardening via GPO.
Blocked PowerShell downloads via execution policy.
Enabled Sysmon logging for all DLL loads.
Created alert for DLLs loaded from user-writable paths.
8. Conclusion:
Attackers used DLL side-loading to execute a backdoor via a legitimate Windows process. Sysmon detected the anomalous DLL load, enabling rapid containment. No data loss occurred.
Closure Rationale: DLL removed; host cleaned; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-14 17:00 EST