Searching for unsigned DLLs as indicator of compromise

Having visibility is even more important in legacy scenarios (still the norm) such as a classic Active Directory network, which allows for many opportunities to escalate privileges and move laterally.

The best way to gain visibility is to have monitoring agents installed on most IT assets - from laptops to servers. Nowadays, the standard is to use Endpoint Detection and Response (EDR) software to search for typical indicators of compromise - automatically, and at scale.

One of the typical indicator and indeed a frequently used technique to execute malicious payloads on infected systems is loading a malicious DLL. Malicious DLLs are mostly written to unprivileged paths and its code is not signed by a trusted code signing authority. To evade detection, the DLLs are loaded by a signed process, either a utility dedicated to loading DLLs (such as rundll32.exe) or an executable that loads DLLs as part of its activity.

In the screenshot below (click to enlarge) showing an event from the Palo Alto Networks Cortex XDR product, an attacker is using a legitimate and signed application (in this case, AvastSvc.exe) to load a malicious and unsigned DLL (wsc.dll).

Here, the DLL loads a remote access tool (RAT) that enables the attacker to further explore and roam across the compromised network.

Of course, doing this search and analysis manually is becoming impossible in modern environments, where both the number of endpoints and attack techniques grow rapidly. What's needed is automatic analysis and discovery of offensive techniques used within a network.

EDR or XDR solutions help by alerting and blocking this and other execution techniques used on endpoints, regardless if the malware payload is known or seen for the first time. This can prevent post-exploitation activities in the early phases and discover threat actors on the network before it's too late.

Read more on unsigned DLL loading in Palo Alto Networks Unit 42 blog article.