Skip to main content
Splunk Lantern

DLL loaded in a specific process

You might need to look for a DLL loaded in a specific process when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

In the case of the Supernova and REvil malware infections, both use the same log and event code can be used to load DLLs in specific processes.

If your environment is ingesting Sysmon data, you can detect the activity of both infections using the following searches.

Option 1 - Supernova web shell malware search

Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova in-memory web shell attack. You know that because it runs in memory, detection and forensic analysis post-breach are difficult.  You want to identify whether the Supernova trojanized DLL have been loaded to a specific process.

To optimize the search shown below, you should specify an index and a time range.  

  1. Run the following search:
sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational EventCode=7 
(file_name=*logoimagehandler.ashx* OR 
SHA256=C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 OR 
SHA1=75af292f34789a1c782ea36c7127bf6106f595e8 OR 
MD5=56ceb6d0011d87b6e4d7023d7ef85676)
| table _time Image ImageLoaded Computer

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational Search only Sysmon operational data.
EventCode=7  Search for event code 7, which indicates an image was loaded.
(file_name=*logoimagehandler.ashx* OR 
SHA256=C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 OR 
SHA1=75af292f34789a1c782ea36c7127bf6106f595e8 OR 
MD5=56ceb6d0011d87b6e4d7023d7ef85676)
Search for the file name shown or the hashes associated with the Supernova trojanized DLL.
| table _time Image ImageLoaded Computer Display the results in a table with columns in the order shown.

Result

If any results indicate the file or the hashes are detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.

Option 2 - REvil ransomware search

REvil ransomware typically disables Windows Defender. As well as doing this, an older version (circa 2014) of msmpeng.exe (Defender) is being used to sideload REvil into the Kaseya agent software. 

If you have Sysmon EventCode 7, Image Loaded events, the following search could be helpful to detect this side-loading of malicious DLLs as well.

To optimize the search shown below, you should specify an index and a time range.  

  1. Run the following search:

source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 Image="*MsMpEng.exe" ImageLoaded="*mpsvc.dll" SHA256 IN (e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2, 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
source="WinEventLog:Microsoft-Windows-Sysmon/Operational" Search only Sysmon operational data.
EventCode=7  Search for event code 7, which indicates an image was loaded.
Image="*MsMpEng.exe" ImageLoaded="*mpsvc.dll" SHA256 IN (e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2, 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd) Search for the image shown and the hashes associated with REvil ransomware.
| table _time Image ImageLoaded Computer Display the results in a table with columns in the order shown.

Result

If any results indicate the file or the hashes are detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.