Loading of Dynwrapx module
DynamicWrapperX is an ActiveX component that can be used in a VBScript to call Windows API functions. It requires the dynwrapx.dll to be installed and registered. Registering or loading dynwrapx.dll to a host is an indicator of suspicious activity.
This search returns instances of the DynamicWrapperX or dynwrapx.dll image loaded onto a host.
Procedure
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational EventCode=7 (ImageLoaded="*\\dynwrapx.dll" OR OriginalFileName="dynwrapx.dll" OR Product="DynamicWrapperX") | stats count min(_time) AS firstTime max(_time) AS lastTime BY Image ImageLoaded OriginalFileName Product process_name Computer EventCode Signed ProcessId | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational | Search Sysmon operational logs. |
EventCode=7 (ImageLoaded="*\\dynwrapx.dll" OR OriginalFileName="dynwrapx.dll" OR Product="DynamicWrapperX") |
Search for event code 7, when an image loaded event logs when a module is loaded in a specific process. Search within these logs for potentially suspicious dynwrapx.dll activities. |
| stats count min(_time) AS firstTime max(_time) AS lastTime BY Image QueryName QueryStatus process_name QueryResults Computer | Return the values for the fields shown, sorting first by Image and then by the rest of the fields shown. |
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) |
Convert these times into readable strings. |
Next steps
You should treat activity that shows the registering or loading of dynwrapx.dll to a host as highly suspicious. In most instances when it is maliciously used, the best way to triage is to review parallel processes and pivot on the process_guid field.
During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.
If your results indicate an attack has occurred, the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
You might also be interested in other processes associated with the Detecting indicators of Remcos RAT malware use case.