Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Bug - DeviceImageLoadEvents doesn't collect all DLL Load Events with Proof of Concept C++ code

Copper Contributor

Hi, I am a security researcher and was hoping to use DeviceImageLoadEvents to threat hunt for various suspicious DLL load events given other conditions.

 

In order to test if my rule would fire, I created a short C++ program with mingw/MSYS2 on windows that loads ws2_32.dll with LoadLibrary, starts Winsock 2.2 with WSAStartup, and finally unloads Winsock with WSACleanup.  The DLL handle is freed.  Dynamic loading is used with function pointers.

 

Picture of the code is below because this app wouldn't let me paste it:

 

code_ws2_32_test.png

 

 

The output of the program is as follows, showing the DLL successfully loads and function addresses acquired:

 

[*] Winsock 2 Loaded
[*] DLL Function addresses acquired
[*] WSAStartup succeeded
[*] WSACleanup succeeded

 

However, the following query does not show the DLL event above, and only lists 3 other random ones that are unrelated.  Note that I waited several hours and the event still never showed up so it isn't a timing issue.

 

DeviceImageLoadEvents
| where DeviceName =="mycomputer" and FileName=="ws2_32.dll"

 

Is this a bug/known issue?  Maybe I am just doing something silly wrong or not understanding, but if this is glitch it is a security problem because these logs can't be depended on for alerting data/threat hunting rules..

 

Please advise

 

3 Replies
Is your "mycomputer" covered by Defender for Endpoint, I assume it is? I suspect you tried a search to find this as well (see suggestion below)? Are there later events from your computer that show up in the table?

DeviceImageLoadEvents
| search "ws2_32.dll"
| limit 5

@Clive_Watson thanks for the reply

 

yes... my computer is covered for Defender for Endpoint and yes the query you provided returns results... as does a query for just my machine, but not the test program...

 

Please see screenshot below which clearly shows the program running and loading the DLL, yet no events found related to this test EXE for my machinetest_case_winsock_fail.png

 

I found something else which doesn't make any sense to me.

The "FileName" column in DeviceImageLoadEvents appears to store the DLL which was loaded... for example "kernel32.dll"

For example, this query shows all the DLL events and counts..

DeviceImageLoadEvents
| summarize count() by FileName
| order by count_ desc

However, I noticed some EXE files displayed as well, including TestSentinel.exe with a count of 3. Why is Microsoft thinking my EXE is a DLL? I drilled down into the 3 events and there is nothing about what DLLs TestSentinel.exe ran -- it is as if it thinks my program is a DLL...

This seems like a bug or bad limitation to me.. I consider it a security problem if can't monitor for these events properly... Can anyone else please confirm if they see the same behavior with EXEs incorrectly showing up as DLL Load events?

Additionally, I am not the first person to see something similar:

https://www.nixu.com/blog/microsoft-defender-endpoint-am-i-missing-something