M365 DLL Hijacking Activity
Detection overview
The "M365 DLL Hijacking Activity" detection identifies potentially malicious behavior where Dynamic Link Library (DLL) files are downloaded under conditions suggesting an attempt to exploit the way applications load DLLs. This activity is particularly concerning as it can result in a system compromise if malicious DLLs are executed instead of legitimate ones.
Triggers
- An account that may not download DLLs typically has been observed downloading a DLL file under conditions that highlight the risk of DLL hijacking, such as both a non-DLL and DLL file being downloaded from the same directory in a short time frame.
Possible Root Causes
- An attacker has abused the way applications search for DLLs by placing a malicious DLL file into a shared directory with the intention of compromising any endpoint that loads the malicious DLL file rather than the intended application DLL file.
- In some cases, developers collaborating from a cloud hosted repository could intentionally download and access DLLs this way.
Business Impact
- DLL Hijacking may result in the complete compromise of a targeted system, and associated accounts and data.
- Endpoints compromised through DLL Hijacking give an attacker an additional foothold in the environment and an opportunity for additional lateral movement, increasing the risk of impact to enterprise systems, users, and data.
Steps to Verify
- Investigate the user associated with this action, and verify if this user would be downloading DLL files as part of their expected workflows.
- Investigate presence of additional files accessed as part of this detection, and assess if this is indicative of an authorize remote application, used for legitimate business purposes.
M365 DLL Hijacking Activity
Possible root causes
Malicious Detection
Attackers exploit DLL search order vulnerabilities by placing malicious DLL files in directories accessible to target applications. This tactic ensures the attacker’s DLL is loaded instead of the intended one, granting them the ability to execute arbitrary code, maintain persistence, or escalate privileges.
Benign Detection
Legitimate developers or software may download and utilize DLL files during the collaborative development process or as part of updates. These activities, while uncommon for regular users, can trigger detections when performed from cloud-hosted repositories or shared environments.
M365 DLL Hijacking Activity
Example scenarios
- An attacker uploads a malicious DLL to a shared network directory. A trusted application mistakenly loads this DLL, allowing the attacker to execute arbitrary code.
- A developer downloads a series of DLL files and their corresponding application files from a secure repository for testing purposes.
M365 DLL Hijacking Activity
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
System compromise
Malicious DLL execution can result in unauthorized access to sensitive systems and data.
Lateral movement
Exploited endpoints provide attackers additional opportunities to compromise more systems within the network.
Operational disruptions
The execution of harmful DLLs can disrupt normal operations and degrade system performance.
M365 DLL Hijacking Activity
Steps to investigate
Identify the user and their typical workflows
Assess whether the flagged user is expected to interact with DLL files.
Examine additional accessed files
Investigate if other files downloaded in this instance indicate the use of a legitimate application or a potential compromise.
Analyze the origin and content of the DLL
Verify the source and integrity of the DLL files. Ensure the files align with their expected application or use case.
Corroborate activity with organizational processes
Ensure the download and use of DLLs adhere to approved operational or development processes.
M365 DLL Hijacking Activity
Related detections
No items found.
FAQs
What is DLL hijacking?
DLL hijacking involves tricking an application into loading a malicious DLL instead of a legitimate one.
Can legitimate users trigger this detection?
Yes, developers or system administrators may unintentionally cause it during legitimate tasks.
How can I confirm if this activity is malicious?
Investigate the source, integrity, and purpose of the DLL files in question.
How does DLL hijacking facilitate attacks?
It enables attackers to run malicious code under the guise of a legitimate application.
How can I prevent DLL hijacking?
Implement strong file permissions, code signing, and enforce application whitelisting policies.
Why is this detection important?
It identifies potentially malicious attempts to exploit DLL search order vulnerabilities.
What types of files are involved?
Both DLL and non-DLL files downloaded from the same directory are flagged.
What tools can I use for investigation?
File integrity checkers, behavioral analytics, and endpoint monitoring solutions are effective.
What should I do if malicious activity is confirmed?
Isolate the affected system, remove the malicious DLLs, and review all related access logs.
Does this detection impact compliance?
Yes, unaddressed DLL hijacking incidents may breach data protection and cybersecurity regulations.