For details on cookie usage on our site, read our Privacy Policy
'Hijacked DLL Injection' alerts
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XDR Discussions
- 'Hijacked DLL Injection' alerts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
'Hijacked DLL Injection' alerts
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-19-2022 10:28 AM
Greetings ,
The single most common and repeating alert which we are getting is like below :
'' 173 'Hijacked DLL Injection' alerts detected by XDR Agent on 24 hosts ''
Explanation is 'DLL attempted to load from blacklisted location' .So 2 questions here
What we are supposed to do here ? What is the investigation path we should follow ? What above alert means ?Should we be worried ?
I assume I have read that this protection module is among those modules which cannot be configured or modified ?
Overall looking to understand these type of alerts though they appear as ' Detected(Reported)' and Not Prevented(Blocked) .
Thanks in advance for response
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-21-2022 02:41 AM
Hi @Balaraju You'll need to take a look at the alert itself, and investigate through the Causality Chain to identify the DLL that is being tried to load. You will see a process that is trying to load the DLL for each alert.
Next, look at your Exploit profile applied to the endpoint/set of endpoints. You probably have a list of DLL's blocked in the Profile configuration.
The configuration of that setting determines if the attack is disabled, reported or prevented.
Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/endpo...
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-21-2022 02:56 AM
Thanks for your response . This is helpful
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-21-2022 03:01 AM
Great, happy to advise you on the right track!
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-21-2022 03:03 AM
The process in almost all cases is 'rundll32.exe' , though the Exploit profile is set as Default(Block) , all the alerts show up as Detected(Reported) . No block list has been configured either in the Exploit profile .
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-21-2022 04:24 AM - edited 03-21-2022 04:25 AM
Hi Balaraju,
apart from following the useful recomendations given by Bbarmanroy, and check if the DLLs on those alerts are in block lists or allowed, just reported but not blocked, etc.
The SOC/Security analysts need to know what are this dlls used for, are they legit windows ? something coming from a 3rd party or custom app you have installed ?
XDR can identify the dlls that are signed by microsoft and figure out or determine that they are benign, even though we do not know and control all dlls available out there from 3rd parties, custom created by individuals.... this is part of the analyst job. And once identified malicious or benign you guys can add a trusted signer or allow hash.....
XDR can also spot the malicious ones even they are unknown by their behavior or even based on ML, and block (depending on your settings) and alert you. After further analysis from your security guys you can decide if you want to continue blocking or allowing, lets say that this is part of the human intelligence we need to put on our daily security analysis.
Hope this helps also
KR,
Luis
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
