Forum Discussion
ArcticMyst
Jul 06, 2022Copper Contributor
Bug - DeviceImageLoadEvents doesn't collect all DLL Load Events with Proof of Concept C++ code
Hi, I am a security researcher and was hoping to use DeviceImageLoadEvents to threat hunt for various suspicious DLL load events given other conditions. In order to test if my rule would fire, I ...
ArcticMyst
Jul 07, 2022Copper Contributor
Clive_Watson thanks for the reply
yes... my computer is covered for Defender for Endpoint and yes the query you provided returns results... as does a query for just my machine, but not the test program...
Please see screenshot below which clearly shows the program running and loading the DLL, yet no events found related to this test EXE for my machine
ArcticMyst
Jul 07, 2022Copper Contributor
I found something else which doesn't make any sense to me.
The "FileName" column in DeviceImageLoadEvents appears to store the DLL which was loaded... for example "kernel32.dll"
For example, this query shows all the DLL events and counts..
DeviceImageLoadEvents
| summarize count() by FileName
| order by count_ desc
However, I noticed some EXE files displayed as well, including TestSentinel.exe with a count of 3. Why is Microsoft thinking my EXE is a DLL? I drilled down into the 3 events and there is nothing about what DLLs TestSentinel.exe ran -- it is as if it thinks my program is a DLL...
This seems like a bug or bad limitation to me.. I consider it a security problem if can't monitor for these events properly... Can anyone else please confirm if they see the same behavior with EXEs incorrectly showing up as DLL Load events?
Additionally, I am not the first person to see something similar:
https://www.nixu.com/blog/microsoft-defender-endpoint-am-i-missing-something
The "FileName" column in DeviceImageLoadEvents appears to store the DLL which was loaded... for example "kernel32.dll"
For example, this query shows all the DLL events and counts..
DeviceImageLoadEvents
| summarize count() by FileName
| order by count_ desc
However, I noticed some EXE files displayed as well, including TestSentinel.exe with a count of 3. Why is Microsoft thinking my EXE is a DLL? I drilled down into the 3 events and there is nothing about what DLLs TestSentinel.exe ran -- it is as if it thinks my program is a DLL...
This seems like a bug or bad limitation to me.. I consider it a security problem if can't monitor for these events properly... Can anyone else please confirm if they see the same behavior with EXEs incorrectly showing up as DLL Load events?
Additionally, I am not the first person to see something similar:
https://www.nixu.com/blog/microsoft-defender-endpoint-am-i-missing-something