'Hijacked DLL Injection' alerts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

'Hijacked DLL Injection' alerts

L2 Linker

Greetings ,

 

The single most common and repeating alert which we are getting is like below :

'' 173 'Hijacked DLL Injection' alerts detected by XDR Agent on 24 hosts ''

Explanation is 'DLL attempted to load from blacklisted location' .So 2 questions here

What we are supposed to do here ? What is the investigation path we should follow ? What above alert means ?Should we be worried ?

I assume I have read that this protection module  is among those modules which cannot be configured or modified ?

Overall looking to understand these type of alerts though they appear as ' Detected(Reported)' and Not Prevented(Blocked) .

 

Thanks in advance for response 

5 REPLIES 5

L5 Sessionator

Hi @Balaraju You'll need to take a look at the alert itself, and investigate through the Causality Chain to identify the DLL that is being tried to load. You will see a process that is trying to load the DLL for each alert.

 

Next, look at your Exploit profile applied to the endpoint/set of endpoints. You probably have a list of DLL's blocked in the Profile configuration.

bbarmanroy_0-1647855593244.png


The configuration of that setting determines if the attack is disabled, reported or prevented.

Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/endpo...

Thanks for your response . This is helpful 

Great, happy to advise you on the right track! 

The process in almost all cases is 'rundll32.exe' , though the Exploit profile is set as Default(Block) , all the alerts show up as Detected(Reported) . No block list has been configured either in the Exploit profile  .

Balaraju_0-1647856905404.png

 

L4 Transporter

Hi Balaraju, 

apart from following the useful recomendations given by Bbarmanroy, and check if the DLLs on those alerts are in block lists or allowed, just reported but not blocked, etc.

The SOC/Security analysts need to know what are this dlls used for, are they legit windows ? something coming from a 3rd party or custom app you have installed ? 

XDR can identify the dlls that are signed by microsoft and figure out or determine that they are benign, even though we do not know and control all dlls available out there from 3rd parties, custom created by individuals.... this is part of the analyst job. And once identified malicious or benign you guys can add a trusted signer or allow hash..... 
XDR can also spot the malicious ones even they are unknown by their behavior or even based on ML, and block (depending on your settings) and alert you. After further analysis from your security guys you can decide if you want to continue blocking or allowing, lets say that this is part of the human intelligence we need to put on our daily security analysis. 

 

Hope this helps also

KR, 

Luis 

 

  • 2866 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!