M365 DLL Hijacking Activity

M365 DLL Hijacking Activity

Detection overview

The "M365 DLL Hijacking Activity" detection identifies potentially malicious behavior where Dynamic Link Library (DLL) files are downloaded under conditions suggesting an attempt to exploit the way applications load DLLs. This activity is particularly concerning as it can result in a system compromise if malicious DLLs are executed instead of legitimate ones.

Triggers

  • An account that may not download DLLs typically has been observed downloading a DLL file under conditions that highlight the risk of DLL hijacking, such as both a non-DLL and DLL file being downloaded from the same directory in a short time frame.

Possible Root Causes

  • An attacker has abused the way applications search for DLLs by placing a malicious DLL file into a shared directory with the intention of compromising any endpoint that loads the malicious DLL file rather than the intended application DLL file.
  • In some cases, developers collaborating from a cloud hosted repository could intentionally download and access DLLs this way.

Business Impact

  • DLL Hijacking may result in the complete compromise of a targeted system, and associated accounts and data.
  • Endpoints compromised through DLL Hijacking give an attacker an additional foothold in the environment and an opportunity for additional lateral movement, increasing the risk of impact to enterprise systems, users, and data.

Steps to Verify

  • Investigate the user associated with this action, and verify if this user would be downloading DLL files as part of their expected workflows.
  • Investigate presence of additional files accessed as part of this detection, and assess if this is indicative of an authorize remote application, used for legitimate business purposes.
M365 DLL Hijacking Activity

Possible root causes

Malicious Detection

Attackers exploit DLL search order vulnerabilities by placing malicious DLL files in directories accessible to target applications. This tactic ensures the attacker’s DLL is loaded instead of the intended one, granting them the ability to execute arbitrary code, maintain persistence, or escalate privileges.

Benign Detection

Legitimate developers or software may download and utilize DLL files during the collaborative development process or as part of updates. These activities, while uncommon for regular users, can trigger detections when performed from cloud-hosted repositories or shared environments.

M365 DLL Hijacking Activity

Example scenarios

  • An attacker uploads a malicious DLL to a shared network directory. A trusted application mistakenly loads this DLL, allowing the attacker to execute arbitrary code.
  • A developer downloads a series of DLL files and their corresponding application files from a secure repository for testing purposes.
M365 DLL Hijacking Activity

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

System compromise

Malicious DLL execution can result in unauthorized access to sensitive systems and data.

Lateral movement

Exploited endpoints provide attackers additional opportunities to compromise more systems within the network.

Operational disruptions

The execution of harmful DLLs can disrupt normal operations and degrade system performance.

M365 DLL Hijacking Activity

Steps to investigate

M365 DLL Hijacking Activity

MITRE ATT&CK techniques covered

M365 DLL Hijacking Activity

Related detections

No items found.

FAQs

What is DLL hijacking?

DLL hijacking involves tricking an application into loading a malicious DLL instead of a legitimate one.

Can legitimate users trigger this detection?

Yes, developers or system administrators may unintentionally cause it during legitimate tasks.

How can I confirm if this activity is malicious?

Investigate the source, integrity, and purpose of the DLL files in question.

How does DLL hijacking facilitate attacks?

It enables attackers to run malicious code under the guise of a legitimate application.

How can I prevent DLL hijacking?

Implement strong file permissions, code signing, and enforce application whitelisting policies.

Why is this detection important?

It identifies potentially malicious attempts to exploit DLL search order vulnerabilities.

What types of files are involved?

Both DLL and non-DLL files downloaded from the same directory are flagged.

What tools can I use for investigation?

File integrity checkers, behavioral analytics, and endpoint monitoring solutions are effective.

What should I do if malicious activity is confirmed?

Isolate the affected system, remove the malicious DLLs, and review all related access logs.

Does this detection impact compliance?

Yes, unaddressed DLL hijacking incidents may breach data protection and cybersecurity regulations.