Jul 06 2022 10:25 AM
Hi, I am a security researcher and was hoping to use DeviceImageLoadEvents to threat hunt for various suspicious DLL load events given other conditions.
In order to test if my rule would fire, I created a short C++ program with mingw/MSYS2 on windows that loads ws2_32.dll with LoadLibrary, starts Winsock 2.2 with WSAStartup, and finally unloads Winsock with WSACleanup. The DLL handle is freed. Dynamic loading is used with function pointers.
Picture of the code is below because this app wouldn't let me paste it:
The output of the program is as follows, showing the DLL successfully loads and function addresses acquired:
[*] Winsock 2 Loaded
[*] DLL Function addresses acquired
[*] WSAStartup succeeded
[*] WSACleanup succeeded
However, the following query does not show the DLL event above, and only lists 3 other random ones that are unrelated. Note that I waited several hours and the event still never showed up so it isn't a timing issue.
DeviceImageLoadEvents
| where DeviceName =="mycomputer" and FileName=="ws2_32.dll"
Is this a bug/known issue? Maybe I am just doing something silly wrong or not understanding, but if this is glitch it is a security problem because these logs can't be depended on for alerting data/threat hunting rules..
Please advise
Jul 07 2022 04:12 AM
Jul 07 2022 05:22 AM
@Clive_Watson thanks for the reply
yes... my computer is covered for Defender for Endpoint and yes the query you provided returns results... as does a query for just my machine, but not the test program...
Please see screenshot below which clearly shows the program running and loading the DLL, yet no events found related to this test EXE for my machine
Jul 07 2022 11:02 AM