Detecting Adversary Tradecraft with Image Load Event Logging and EQL

David French
Aug 16, 2019 · 6 min read
Image for post
Image for post
Splitting Logs — Photo by Dan Edwards on Unsplash

While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where Windows image load event logging can be utilized to write some high efficacy detection rules.

I don’t often hear about image load event logging being leveraged for threat detection, so I decided to share a few practical examples where this event type can be used to detect malicious behavior with the objective of helping blue teams with their threat detection and incident response efforts.

What is an Image Load Event?

A Windows process can load a dynamic link library (DLL) in order to use one or more of the DLL’s functions to carry out certain actions. For example, loads the DLL, before it can use the function or API call to create or open files. This is an image load event.

Image for post
Image for post
The imports table of notepad.exe shows that it imports CreateFileW from kernel32.dll

Importing functions from existing DLLs means that developers don’t have to write their own code to have their software perform tasks such as writing or deleting files, creating additional processes, or handling network connections. “The use of DLLs helps promote modularization of code, code reuse, efficient memory usage, and reduced disk space.”

As you’ll see in the following examples, an adversary may write their malicious code to import functions from Windows or 3rd party software DLLs in order to help them achieve their objectives such as stealing passwords from or establishing persistence on their victim’s endpoint.

Configuring Image Load Event Logging

Microsoft Sysmon can be configured to log events to provide visibility into what DLLs are loaded by running processes.

Image for post
Image for post
Description of Sysmon Event ID 7

Roberto Rodriguez’s (@Cyb3rWard0g) Sysmon configuration file will capture the above Event ID.

Execute the following command to install Sysmon and apply a configuration file.

sysmon.exe -i -c .\config_file.xml

You can review Sysmon events in Event Viewer under . Below is an example event. As you can see, the process loaded . Sysmon collects other useful information such as the hashes and signer information for the image that was loaded.

Image loaded:
RuleName:
UtcTime: 2019-08-04 13:59:40.739
ProcessGuid: {0AD3E319-E4CC-5D46-0000-0010A1A06A00}
ProcessId: 4132
Image: C:\Windows\System32\notepad.exe
ImageLoaded: C:\Windows\System32\kernel32.dll
FileVersion: 10.0.14393.206 (rs1_release.160915-0644)
Description: Windows NT BASE API Client DLL
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
Hashes: SHA1=6EE3E2D33012161659609DADEA59A2164C5A5CEB,MD5=6955067712F2F4752CA12192B08EF860,SHA256=E02A3B57EA8B393408FF782866A1D342DD8C6B5F5925BA527981DBB21B6A4080,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid

Let’s look at some examples of suspicious module loading behavior and how you can detect it.

Example 1: Malware Harvesting Credentials from Windows Credential Manager

Windows Credential Manager allows you to create, view, or delete your saved credentials for signing in to websites, connected applications, and networks. An adversary may attempt to list or dump credentials stored in the Credential Manager.

When the built-in command line utility is used to list or manage stored credentials, this process loads the module. This is behavior is normal.

Image for post
Image for post
Process Monitor output shows vaultcli.dll loaded by vaultcmd.exe

Examining the exports table of suggests that this DLL provides the functionality to enumerate or get information from the credential vault.

Image for post
Image for post
Reviewing the exports table of vaultcli.dll

Some malware authors abuse the functions provided by the Credential Vault Client Library () by importing its functionality to enumerate or harvest saved credentials.

The screenshot below from Process Hacker shows that Fareit malware loaded the module.

Image for post
Image for post
Credential Vault Client Library (vaultcli.dll) DLL loaded by Fareit malware

The following event was captured by Sysmon and shows that was loaded by , not .

Image loaded:
RuleName:
UtcTime: 2019-08-04 14:15:42.301
ProcessGuid: {0AD3E319-E88D-5D46-0000-001097C2A500}
ProcessId: 4516
Image: C:\Users\Roxy\Downloads\fareit.exe
ImageLoaded: C:\Windows\SysWOW64\vaultcli.dll
FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
Description: Credential Vault Client Library
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
Hashes: SHA1=8395B530CAB0415DAFE8B01B2A7342866C6F45E1,MD5=33F761B3487238BEEEE5577C3E089CE7,SHA256=325E4DDAF3F45B4B540A98E05FB6A6F036A6955875F303D833E7A7644EB939DC,IMPHASH=8721D7F174531C1C4F8942462C87C899
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid

We can write an Event Query Language (EQL) query to detect unexpected processes loading as follows. If you’re not familiar with EQL, you can find the getting started guide here.

Image for post
Image for post
Suspicious Process Loading Credential Vault DLL

Bonus Detection: Credential Harvesting via

An adversary can use the utility to list the credentials that their victim has saved in the Credential Vault in preparation of harvesting them to use during their operations.

vaultcmd /list
vaultcmd /listproperties:"Windows Credentials"
vaultcmd /listcreds:"Windows Credentials" /all

We can detect this behavior with the following EQL query.

Image for post
Image for post
Credential Enumeration via Credential Vault CLI

Example 2: Stealthy Scheduled Task Creation via VBA Macro

A Microsoft Office document can contain VBA code to create a scheduled task for persistence without using the native scheduled tasks () utility. A sample that exhibited this behavior was recently documented here.

Many defenders have logging and alerting in place to detect suspicious usage of . The following sample would bypass this detection, which is why I found it interesting.

If we open the malicious Excel document with Process Monitor running, we can see that loads (File Description: ). Thanks @DanielStepanic for pointing this one out. Unless you have VBA macro-enabled Office documents in your environment that create or modify Windows scheduled tasks, this behavior should not occur often.

Image for post
Image for post
Process Monitor output showing excel.exe loading taskschd.dll

The following event was captured by Sysmon showing that was loaded by .

Image loaded:
RuleName:
UtcTime: 2019-08-05 19:39:51.293
ProcessGuid: {6F8FEDE1-85F8-5D48-0000-0010DADC5401}
ProcessId: 4832
Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ImageLoaded: C:\Windows\System32\taskschd.dll
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Description: Task Scheduler COM API
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: taskschd.dll
Hashes: SHA1=6F5A626EFF54C33FDC8C9E3D7EA44677CA0818DA,MD5=BAAFAF9CEAEC0B73C2A3550A01F6CECB,SHA256=018CB95A43CEA2063EA24691C71D51EF60D522C21502ABA8AD93876363D4B857,IMPHASH=21BCC6496DD1370029F85F9F7A29B9FB
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid

We can detect the behavior of Microsoft Office applications loading with the following EQL query.

Image for post
Image for post
Scheduled Task Creation via Microsoft Office Application

Example 3: WMI Execution via VBA Macro

An adversary may include a malicious macro in a Microsoft Office document to execute commands via Windows Management Instrumentation (WMI). The motive behind this behavior is to evade detections that rely on process relationships.

A common detection for security operations teams is to look for suspicious child processes of Microsoft Office applications, such as or . Below is an EQL query to detect this behavior. The list of process names is not exhaustive.

Image for post
Image for post

By invoking WMI to execute a malicious command, is spawned with the parent process , not or whatever application is used to execute the macro.

Image for post
Image for post
Process Monitor output showing powershell.exe with the parent process wmiprvse.exe
Image for post
Image for post
Process Monitor output showing no child processes spawned by winword.exe

On Windows 10 x64 with Office 2016 installed, the following DLLs are loaded by Microsoft Word ( when a VBA macro is executed that invokes a WMI command.

C:\Windows\SysWOW64\wbem\wbemdisp.dll
C:\Windows\SysWOW64\wbemcomn.dll
C:\Windows\SysWOW64\wbem\wbemprox.dll
C:\Windows\SysWOW64\wbem\wmiutils.dll
C:\Windows\SysWOW64\wbem\wbemsvc.dll
C:\Windows\SysWOW64\wbem\fastprox.dll
Image for post
Image for post
Process Monitor output showing WMI-related DLLs loaded by winword.exe

We can detect this suspicious behavior with the following EQL query:

Image for post
Image for post
WMI Execution via Microsoft Office Application

We have covered what image load event logging is, how to enable it using Sysmon, and some practical examples of how it can be used to detect evasive attempts to steal credentials, establish persistence, or execute malicious code.

What adversary tradecraft can you detect by leveraging image load event logging or by combining these events with other event types such as process, network, or file events? I’d be interested in hearing any feedback, experiences, or findings that you would like to share. For anyone who would like to share any analytics for detection, please see the EQL Analytics Library contribution guide.

Threat Punter

Threat Hunting | Threat Detection | Digital Forensics

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store