any where host.os.type == "windows" and process.name : "AzureADConnectAuthenticationAgentService.exe" and
(
(event.category == "library" and event.action == "load") or
(event.category == "process" and event.action : "Image loaded*")
) and
not (?dll.code_signature.trusted == true or file.code_signature.status == "Valid") and not
(
/* Elastic defend DLL path */
?dll.path :
("?:\\Windows\\assembly\\NativeImages*",
"?:\\Windows\\Microsoft.NET\\*",
"?:\\Windows\\WinSxS\\*",
"?:\\Windows\\System32\\DriverStore\\FileRepository\\*") or
/* Sysmon DLL path is mapped to file.path */
file.path :
("?:\\Windows\\assembly\\NativeImages*",
"?:\\Windows\\Microsoft.NET\\*",
"?:\\Windows\\WinSxS\\*",
"?:\\Windows\\System32\\DriverStore\\FileRepository\\*")
)
Install detection rules in Elastic Security
Detect Untrusted DLL Loaded by Azure AD Sync Service in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).