Windows 10 Creators Update can detect reflective Dynamic-Link Library (DLL) loading in a variety of high-risk processes, including browsers and productivity software, Microsoft says.
This is possible because of function calls (VirtualAlloc and VirtualProtect) related to procuring executable memory, which generate signals for Windows Defender Advanced Threat Protection (Windows Defender ATP).
Reflective DLL loading, the software giant explains, relies on loading a DLL into a process memory without using the Windows loader. First described in 2008, the method allows for the loading of a DLL into a process even if the DLL isn’t registered with the process.
The technique is employed by modern attacks to avoid detection, although the operation is not trivial, as it requires the use of a custom loader that can write the DLL into memory and then resolve its imports and/or its relocation.
What motivates attackers to use the method, Microsoft says, is that reflectively loading a DLL doesn’t require the DLL to reside on disk, and the library that is loaded may not be readily visible without forensic analysis, especially because it is not written to disk.
“A crucial aspect of reflectively loading a DLL is to have executable memory available for the DLL code. This can be accomplished by taking existing memory and changing its protection flags or by allocating new executable memory. Memory procured for DLL code is the primary signal we use to identify reflective DLL loading,” Christian Seifert, Windows Defender ATP Research, explains.
The detection model used in Windows 10 first learns about the normal allocations of a process, then it determines that a process associated with malicious activity allocates executable memory that deviates from the normal behavior. The model is meant to prove that memory events can be used as the primary signal for detecting reflective DLL loading, Seifert says.
The real model, however, also includes various other features, such as allocation size, allocation history, thread information, allocation flags, and the like. It also takes into consideration variations in application behavior, so its effectiveness is increased through additional behavioral signals, such as network connection behavior.
In an attack scenario where the victim opens a malicious Word document from a file share and enables macro code to run, the Word process connects to the attacker-specified command and control (C&C) server to fetch the DLL to be reflectively loaded. Once the loading has been completed, it connects to the C&C and provides command line access to the victim machine.
Windows Defender ATP, Microsoft says, identifies the memory allocations as abnormal and alerts on the matter, providing context on the document and information on the C&C communication. Similarly, Microsoft Office 365 Advanced Threat Protection prevents such attacks through dynamic behavior matching.
Seifert also points out that Windows Defender ATP is a post-breach solution designed to alert on detected hostile activity. It can also provide detailed event timelines and other contextual information for attack analysis, the researcher says.