Detect Shared Modules in Elastic Security
Adversaries may execute malicious payloads by loading shared modules into running processes. Shared modules are executable files (DLLs on Windows, .so on Linux, .dylib on macOS) loaded at runtime to provide reusable code or access OS API functions. Adversaries abuse this by loading malicious shared objects from arbitrary local paths or UNC network paths, allowing payload execution within the memory space of a legitimate host process. Windows uses LoadLibrary/LoadLibraryEx (via NTDLL.dll Native API), Linux uses dlopen/dlsym from dlfcn.h, and macOS uses both dlopen and Objective-C runtime calls. This technique enables modular malware architectures where the main dropper loads additional capability modules — seen in gh0st RAT, Astaroth, RotaJakiro, FoggyWeb, and BLINDINGCAN.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1129 Shared Modules
- Canonical reference
- https://attack.mitre.org/techniques/T1129/
Elastic Detection Query
sequence by host.name, process.entity_id [library where process.name in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "installutil.exe") and dll.path like~ "*\\AppData\\Local\\Temp\\*" or dll.path like~ "*\\AppData\\Roaming\\*" or dll.path like~ "*\\Users\\Public\\*" or dll.path like~ "*\\Windows\\Temp\\*" or dll.path like~ "C:\\Temp\\*" or dll.path like~ "C:\\tmp\\*" or dll.path like~ "*\\Downloads\\*" and not dll.path like~ "*\\Windows\\System32\\*" and not dll.path like~ "*\\Windows\\SysWOW64\\*" and not dll.path like~ "*\\Program Files\\*"]Detects suspicious DLL/shared module loading from non-standard paths or via known LOLBin loaders. Targets Sysmon ImageLoad events (ECS dll.* fields) where the loaded library originates from temp, user-writable, or UNC paths and is loaded by commonly abused Windows utilities. Covers T1129 abuse patterns seen in gh0st RAT, Astaroth, and BLINDINGCAN.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers that temporarily extract and load DLLs from %TEMP% during installation (e.g., Adobe, Oracle JDK installers)
- Developer tools such as Visual Studio, Python pip, or Node.js native addons loading modules from user-profile or Downloads directories during development
- Enterprise deployment tools (SCCM, Intune) that stage MSI/DLL payloads in ProgramData or Temp before installation
Other platforms for T1129
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Load DLL from Temp Directory via rundll32
Expected signal: Sysmon Event ID 7 (ImageLoad): ImageLoaded path will be %TEMP%\df00tech-test-module.dll, Image will be C:\Windows\System32\rundll32.exe. Sysmon Event ID 1 (Process Create): rundll32.exe with command line containing the Temp path. Security Event ID 4688 if command line auditing is enabled.
- Test 2Load DLL via PowerShell Assembly.LoadFile from AppData
Expected signal: Sysmon Event ID 7: ImageLoaded will show AppData\Roaming\df00tech-module.dll loaded by powershell.exe. Sysmon Event ID 1: PowerShell process creation with LoadFile command. Sysmon Event ID 11: File creation of df00tech-module.dll in AppData\Roaming.
- Test 3Load Shared Object from /tmp via dlopen on Linux
Expected signal: Auditd syscall events: openat(2) call to /tmp/df00tech_test_module.so from python3 process. Linux audit event type=EXECVE for gcc and python3. If using Falco or Sysdig: proc.name=python3 with fd.name=/tmp/*.so triggers shared lib load from tmp rule. Syslog entry if auditd is configured to monitor /tmp for file opens.
- Test 4Regsvr32 Loading Unregistered DLL from User-Writable Path
Expected signal: Sysmon Event ID 7 (ImageLoad): ImageLoaded=C:\Windows\Temp\df00tech-reg-test.dll, Image=C:\Windows\System32\regsvr32.exe. Sysmon Event ID 1: regsvr32.exe with /s flag and the temp path. The /s flag suppresses the dialog box — this silence flag is itself a behavioral indicator used in malware deployment.
- Test 5Load dylib from /tmp on macOS via Python ctypes
Expected signal: macOS Endpoint Security Framework: ES_EVENT_TYPE_NOTIFY_MMAP event for the dylib mmap into python3 process address space. Unified log (log stream --predicate 'subsystem == "com.apple.dyld"') shows dylib load from /tmp. If Jamf Protect or CrowdStrike Falcon is deployed: 'Shared Library Loaded from /tmp' detection fires.
References (10)
- https://attack.mitre.org/techniques/T1129/
- https://learn.microsoft.com/troubleshoot/windows-client/deployment/dynamic-link-library
- https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html
- https://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html
- https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/
- https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load
- https://www.elastic.co/guide/en/security/current/prebuilt-rules.html
Unlock Pro Content
Get the full detection package for T1129 including response playbook, investigation guide, and atomic red team tests.