T1129

Shared Modules

Adversaries may execute malicious payloads by loading shared modules into running processes. Shared modules are executable files (DLLs on Windows, .so on Linux, .dylib on macOS) loaded at runtime to provide reusable code or access OS API functions. Adversaries abuse this by loading malicious shared objects from arbitrary local paths or UNC network paths, allowing payload execution within the memory space of a legitimate host process. Windows uses LoadLibrary/LoadLibraryEx (via NTDLL.dll Native API), Linux uses dlopen/dlsym from dlfcn.h, and macOS uses both dlopen and Objective-C runtime calls. This technique enables modular malware architectures where the main dropper loads additional capability modules — seen in gh0st RAT, Astaroth, RotaJakiro, FoggyWeb, and BLINDINGCAN.

Microsoft Sentinel / Defender

kusto

let SuspiciousLoadPaths = dynamic([
  "\\AppData\\Local\\Temp\\",
  "\\AppData\\Roaming\\",
  "\\Users\\Public\\",
  "\\ProgramData\\Microsoft\\Windows\\Start Menu\\",
  "\\Windows\\Temp\\",
  "C:\\Temp\\",
  "C:\\tmp\\",
  "\\Downloads\\"
]);
let UNCPathPattern = @"\\\\[^\\]+\\[^\\]+\\.*\.dll";
let KnownGoodDirs = dynamic([
  "\\Windows\\System32\\",
  "\\Windows\\SysWOW64\\",
  "\\Windows\\WinSxS\\",
  "\\Program Files\\",
  "\\Program Files (x86)\\"
]);
DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName endswith ".dll"
| where not(FolderPath has_any (KnownGoodDirs))
| where FolderPath has_any (SuspiciousLoadPaths)
    or FolderPath matches regex UNCPathPattern
    or (InitiatingProcessFileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "installutil.exe") and not(FolderPath has_any (KnownGoodDirs)))
| extend IsUNCPath = FolderPath matches regex @"^\\\\\\\\[^\\]+"
| extend IsTempPath = FolderPath has_any (SuspiciousLoadPaths)
| extend IsSuspiciousLoader = InitiatingProcessFileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "installutil.exe")
| extend IsUnsigned = isempty(Signer) or Signer == "" or IsCertificateValid == false
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         FileName, FolderPath, SHA256,
         Signer, IsCertificateValid,
         IsUNCPath, IsTempPath, IsSuspiciousLoader, IsUnsigned
| sort by Timestamp desc

high severity medium confidence

Data Sources

Module: Module Load Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceImageLoadEvents

False Positives

Legitimate software installers temporarily staging DLLs in %TEMP% before moving them to installation directories
Developer tools (Visual Studio, JetBrains IDEs) loading debug or test assemblies from user-writable paths during development builds
Enterprise software with non-standard installation paths (e.g., installed to C:\Tools or user home directories by portable apps)
Security tools and EDR agents loading kernel modules or helper DLLs from non-standard paths during startup
Virtualization software (VMware Tools, VirtualBox Guest Additions) loading drivers from paths outside System32

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
| eval ImageLoaded=coalesce(ImageLoaded, "")
| eval Image=coalesce(Image, "")
| eval Signed=coalesce(Signed, "false")
| eval ImageLower=lower(ImageLoaded)
| eval ProcessLower=lower(Image)
| eval IsTempPath=if(match(ImageLower, "(\\\\appdata\\\\local\\\\temp\\\\|\\\\appdata\\\\roaming\\\\|\\\\windows\\\\temp\\\\|\\\\users\\\\public\\\\|c:\\\\temp\\\\|c:\\\\tmp\\\\|\\\\downloads\\\\)"), 1, 0)
| eval IsUNCPath=if(match(ImageLower, "^\\\\\\\\[^\\\\]+\\\\[^\\\\]+\\\\"), 1, 0)
| eval IsSuspiciousLoader=if(match(ProcessLower, "(\\\\rundll32\.exe|\\\\regsvr32\.exe|\\\\mshta\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\msbuild\.exe|\\\\installutil\.exe)"), 1, 0)
| eval IsKnownGoodDir=if(match(ImageLower, "(\\\\windows\\\\system32\\\\|\\\\windows\\\\syswow64\\\\|\\\\windows\\\\winsxs\\\\|\\\\program files\\\\|\\\\program files \\(x86\\)\\\\)"), 1, 0)
| eval IsUnsigned=if(Signed="false" OR Signed="", 1, 0)
| eval SuspicionScore=IsTempPath + IsUNCPath + (IsSuspiciousLoader * (1 - IsKnownGoodDir)) + IsUnsigned
| where SuspicionScore >= 1 AND IsKnownGoodDir=0
| table _time, host, User, Image, CommandLine, ImageLoaded, Signed, SignatureStatus, Hashes, IsTempPath, IsUNCPath, IsSuspiciousLoader, IsUnsigned, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Module: Module Load Process: Process Creation Sysmon Event ID 7

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software installers temporarily staging DLLs in %TEMP% before moving them to installation directories
Developer tools (Visual Studio, JetBrains IDEs) loading debug or test assemblies from user-writable paths
Enterprise software with non-standard installation paths installed by portable or user-scoped apps
Security tools and EDR agents loading modules from non-standard paths during startup or updates
Virtualization and container software loading hypervisor or paravirtualization modules from custom paths

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime, LOGSOURCENAME(logsourceid) AS LogSource, username, sourceip, QIDNAME(qid) AS EventName, "ImageLoaded", "Image", "Signed", "Hashes", "CommandLine", CASE WHEN LOWER("ImageLoaded") LIKE '%\appdata\local\temp\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%\appdata\roaming\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%\windows\temp\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%\users\public\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%c:\temp\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%c:\tmp\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%\downloads\%' THEN 1 ELSE 0 END AS IsTempPath, CASE WHEN LOWER("ImageLoaded") LIKE '\\\\%' THEN 1 ELSE 0 END AS IsUNCPath, CASE WHEN LOWER("Image") LIKE '%rundll32.exe' OR LOWER("Image") LIKE '%regsvr32.exe' OR LOWER("Image") LIKE '%mshta.exe' OR LOWER("Image") LIKE '%wscript.exe' OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%msbuild.exe' OR LOWER("Image") LIKE '%installutil.exe' THEN 1 ELSE 0 END AS IsSuspiciousLoader, CASE WHEN LOWER("ImageLoaded") LIKE '%\windows\system32\%' OR LOWER("ImageLoaded") LIKE '%\windows\syswow64\%' OR LOWER("ImageLoaded") LIKE '%\program files\%' THEN 1 ELSE 0 END AS IsKnownGoodDir FROM events WHERE LOGSOURCETYPEID = 13 AND QIDNAME(qid) = 'Sysmon - Image Loaded (7)' AND LOWER("ImageLoaded") LIKE '%.dll' AND (IsTempPath = 1 OR IsUNCPath = 1 OR IsSuspiciousLoader = 1) AND IsKnownGoodDir = 0 AND starttime > NOW() - 86400 SECONDS ORDER BY starttime DESC

high severity medium confidence

Data Sources

QRadar Windows Security DSM Sysmon logs via WinCollect or Universal DSM Microsoft Windows Security Event Log DSM

Required Tables

events (QRadar event pipeline with Sysmon DSM parsed fields)

False Positives

Software update mechanisms that unpack DLLs to Temp before loading them (e.g., Chrome, Firefox, Windows Update components staging side-by-side assemblies)
Security tools such as EDR agents, vulnerability scanners, or DLP products that inject monitoring DLLs into processes from non-standard paths
Custom enterprise applications that load plugins or extensions from user AppData directories as part of legitimate extensibility frameworks

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=7
| parse "<ImageLoaded>*</ImageLoaded>" as ImageLoaded nodrop
| parse "<Image>*</Image>" as LoaderProcess nodrop
| parse "<Signed>*</Signed>" as Signed nodrop
| parse "<SignatureStatus>*</SignatureStatus>" as SignatureStatus nodrop
| parse "<Hashes>*</Hashes>" as Hashes nodrop
| parse "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse "<User>*</User>" as User nodrop
| where toLowerCase(ImageLoaded) matches "*.dll"
| eval ImageLower = toLowerCase(ImageLoaded)
| eval ProcessLower = toLowerCase(LoaderProcess)
| eval IsTempPath = if(ImageLower matches "*\\appdata\\local\\temp\\*" OR ImageLower matches "*\\appdata\\roaming\\*" OR ImageLower matches "*\\windows\\temp\\*" OR ImageLower matches "*\\users\\public\\*" OR ImageLower matches "c:\\temp\\*" OR ImageLower matches "c:\\tmp\\*" OR ImageLower matches "*\\downloads\\*", 1, 0)
| eval IsUNCPath = if(ImageLower matches "\\\\*", 1, 0)
| eval IsSuspiciousLoader = if(ProcessLower matches "*\\rundll32.exe" OR ProcessLower matches "*\\regsvr32.exe" OR ProcessLower matches "*\\mshta.exe" OR ProcessLower matches "*\\wscript.exe" OR ProcessLower matches "*\\cscript.exe" OR ProcessLower matches "*\\msbuild.exe" OR ProcessLower matches "*\\installutil.exe", 1, 0)
| eval IsKnownGoodDir = if(ImageLower matches "*\\windows\\system32\\*" OR ImageLower matches "*\\windows\\syswow64\\*" OR ImageLower matches "*\\windows\\winsxs\\*" OR ImageLower matches "*\\program files\\*", 1, 0)
| eval IsUnsigned = if(Signed = "false" OR Signed = "", 1, 0)
| eval SuspicionScore = IsTempPath + IsUNCPath + (IsSuspiciousLoader * (1 - IsKnownGoodDir)) + IsUnsigned
| where SuspicionScore >= 1 AND IsKnownGoodDir = 0
| fields _messageTime, _sourceHost, User, LoaderProcess, CommandLine, ImageLoaded, Signed, SignatureStatus, Hashes, IsTempPath, IsUNCPath, IsSuspiciousLoader, IsUnsigned, SuspicionScore
| sort by SuspicionScore, _messageTime

high severity high confidence

Data Sources

Sumo Logic Windows Sysmon Source (XML event format) Sumo Logic Installed Collector with Windows Event Log Source Sumo Logic Cloud-to-Cloud Microsoft 365 Defender source

Required Tables

_sourceCategory=windows/sysmon Sysmon Operational Event Log (EventCode=7)

False Positives

Managed software deployment via PDQ Deploy, Ansible, or similar tools that temporarily place DLLs in staging directories accessible to running processes before installation completes
Browser extension or plugin frameworks (e.g., legacy NPAPI plugins, COM add-ins) that load shared libraries from user-profile locations as part of sandboxed execution
Penetration testing or red team tooling run by authorized staff loading reflective DLLs from temp directories during sanctioned assessments

Google Chronicle / SecOps

yaral

rule t1129_shared_module_suspicious_dll_load {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1129 Shared Modules abuse — malicious DLL/shared object loading from non-standard paths or via LOLBin processes. Covers temp directories, UNC paths, and known abused loaders."
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1129"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1129/"

  events:
    $e.metadata.event_type = "PROCESS_MODULE_LOAD"
    $e.target.file.full_path = /\.dll$/i
    (
      $e.target.file.full_path = /(?i)\\AppData\\Local\\Temp\\/ or
      $e.target.file.full_path = /(?i)\\AppData\\Roaming\\/ or
      $e.target.file.full_path = /(?i)\\Users\\Public\\/ or
      $e.target.file.full_path = /(?i)\\Windows\\Temp\\/ or
      $e.target.file.full_path = /(?i)C:\\Temp\\/ or
      $e.target.file.full_path = /(?i)C:\\tmp\\/ or
      $e.target.file.full_path = /(?i)\\Downloads\\/ or
      $e.target.file.full_path = /(?i)^\\\\[^\\]+\\[^\\]+\\/
    )
    not (
      $e.target.file.full_path = /(?i)\\Windows\\System32\\/ or
      $e.target.file.full_path = /(?i)\\Windows\\SysWOW64\\/ or
      $e.target.file.full_path = /(?i)\\Windows\\WinSxS\\/ or
      $e.target.file.full_path = /(?i)\\Program Files\\/ or
      $e.target.file.full_path = /(?i)\\Program Files \(x86\)\\/
    )
    (
      $e.principal.process.file.full_path = /(?i)\\rundll32\.exe$/ or
      $e.principal.process.file.full_path = /(?i)\\regsvr32\.exe$/ or
      $e.principal.process.file.full_path = /(?i)\\mshta\.exe$/ or
      $e.principal.process.file.full_path = /(?i)\\wscript\.exe$/ or
      $e.principal.process.file.full_path = /(?i)\\cscript\.exe$/ or
      $e.principal.process.file.full_path = /(?i)\\msbuild\.exe$/ or
      $e.principal.process.file.full_path = /(?i)\\installutil\.exe$/ or
      $e.target.file.full_path = /(?i)\\AppData\\Local\\Temp\\/ or
      $e.target.file.full_path = /(?i)^\\\\[^\\]+\\/
    )
    $e.principal.hostname = $hostname

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM via Google Workspace/Chronicle SIEM Sysmon Event ID 7 forwarded through Chronicle ingestion pipeline Microsoft Defender for Endpoint events via Chronicle connector

Required Tables

UDM events with metadata.event_type = PROCESS_MODULE_LOAD

False Positives

Legitimate runtime plugin systems such as game engines (Unity, Unreal), DAW software, or IDE extensions that dynamically load user-installed DLLs from AppData directories
Windows Installer (msiexec.exe) custom actions that invoke DLLs staged in Temp — these are signed but may appear unsigned until installation completes
Virtualization or containerization agents (VMware Tools, VirtualBox Guest Additions, Docker Desktop) loading auxiliary DLLs from non-standard paths after updates

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ImageLoad
| ImageFileName = /(?i)\.dll$/
| ImageFileName = /(?i)(\\AppData\\Local\\Temp\\|\\AppData\\Roaming\\|\\Users\\Public\\|\\Windows\\Temp\\|C:\\Temp\\|C:\\tmp\\|\\Downloads\\)|^\\\\[^\\]+\\/
| not ImageFileName = /(?i)(\\Windows\\System32\\|\\Windows\\SysWOW64\\|\\Windows\\WinSxS\\|\\Program Files\\|\\Program Files \(x86\)\\)/
| IsTempPath := if(ImageFileName = /(?i)(\\AppData\\Local\\Temp\\|\\AppData\\Roaming\\|\\Windows\\Temp\\|\\Users\\Public\\|C:\\Temp\\|C:\\tmp\\|\\Downloads\\)/, "true", "false")
| IsUNCPath := if(ImageFileName = /^\\\\[^\\]+\\/, "true", "false")
| IsSuspiciousLoader := if(ImageFileName = /(?i)(\\rundll32\.exe|\\regsvr32\.exe|\\mshta\.exe|\\wscript\.exe|\\cscript\.exe|\\msbuild\.exe|\\installutil\.exe)/, "true", "false")
| SuspicionScore := if(IsTempPath = "true", 1, 0) + if(IsUNCPath = "true", 1, 0) + if(IsSuspiciousLoader = "true", 1, 0)
| SuspicionScore >= 1
| table([_timems, ComputerName, UserName, ImageFileName, ParentImageFileName, CommandHistory, SHA256HashData, IsTempPath, IsUNCPath, IsSuspiciousLoader, SuspicionScore])
| sort(SuspicionScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (EDR) — ImageLoad events CrowdStrike Falcon Data Replicator (FDR) to LogScale LogScale via Falcon SIEM Connector

Required Tables

#event_simpleName=ImageLoad (Falcon telemetry event stream)

False Positives

Third-party security tools (endpoint DLP, PAM agents, network monitoring) that load kernel or user-mode modules from non-standard paths on first execution before being moved to permanent install directories
Software development workflows where compiled DLLs in output directories (bin/Debug, bin/Release, Downloads) are loaded during testing by msbuild.exe or test runners — highly common in .NET shops
Automated backup or endpoint management agents (Backup Exec, Datto, ConnectWise Automate) that load operational DLLs from ProgramData or AppData paths as part of their service architecture

Last updated: 2026-04-18 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1129 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Shared Modules

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections