Which SIEM platforms have a T1129 detection rule?

df00tech provides T1129 (Shared Modules) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Shared Modules (T1129)?

Detecting Shared Modules requires the following data sources: Module: Module Load, Process: Process Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1129 detection?

The T1129 detection is rated high severity with medium confidence.

What are common false positives for T1129?

Common false positives for T1129 include: Legitimate software installers temporarily staging DLLs in %TEMP% before moving them to installation directories; Developer tools (Visual Studio, JetBrains IDEs) loading debug or test assemblies from user-writable paths during development builds; Enterprise software with non-standard installation paths (e.g., installed to C:\Tools or user home directories by portable apps).

T1129 IBM QRadar · QRadar

Detect Shared Modules in IBM QRadar

Adversaries may execute malicious payloads by loading shared modules into running processes. Shared modules are executable files (DLLs on Windows, .so on Linux, .dylib on macOS) loaded at runtime to provide reusable code or access OS API functions. Adversaries abuse this by loading malicious shared objects from arbitrary local paths or UNC network paths, allowing payload execution within the memory space of a legitimate host process. Windows uses LoadLibrary/LoadLibraryEx (via NTDLL.dll Native API), Linux uses dlopen/dlsym from dlfcn.h, and macOS uses both dlopen and Objective-C runtime calls. This technique enables modular malware architectures where the main dropper loads additional capability modules — seen in gh0st RAT, Astaroth, RotaJakiro, FoggyWeb, and BLINDINGCAN.

MITRE ATT&CK

Tactic: Execution
Technique: T1129 Shared Modules
Canonical reference: https://attack.mitre.org/techniques/T1129/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime, LOGSOURCENAME(logsourceid) AS LogSource, username, sourceip, QIDNAME(qid) AS EventName, "ImageLoaded", "Image", "Signed", "Hashes", "CommandLine", CASE WHEN LOWER("ImageLoaded") LIKE '%\appdata\local\temp\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%\appdata\roaming\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%\windows\temp\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%\users\public\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%c:\temp\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%c:\tmp\%' THEN 1 WHEN LOWER("ImageLoaded") LIKE '%\downloads\%' THEN 1 ELSE 0 END AS IsTempPath, CASE WHEN LOWER("ImageLoaded") LIKE '\\\\%' THEN 1 ELSE 0 END AS IsUNCPath, CASE WHEN LOWER("Image") LIKE '%rundll32.exe' OR LOWER("Image") LIKE '%regsvr32.exe' OR LOWER("Image") LIKE '%mshta.exe' OR LOWER("Image") LIKE '%wscript.exe' OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%msbuild.exe' OR LOWER("Image") LIKE '%installutil.exe' THEN 1 ELSE 0 END AS IsSuspiciousLoader, CASE WHEN LOWER("ImageLoaded") LIKE '%\windows\system32\%' OR LOWER("ImageLoaded") LIKE '%\windows\syswow64\%' OR LOWER("ImageLoaded") LIKE '%\program files\%' THEN 1 ELSE 0 END AS IsKnownGoodDir FROM events WHERE LOGSOURCETYPEID = 13 AND QIDNAME(qid) = 'Sysmon - Image Loaded (7)' AND LOWER("ImageLoaded") LIKE '%.dll' AND (IsTempPath = 1 OR IsUNCPath = 1 OR IsSuspiciousLoader = 1) AND IsKnownGoodDir = 0 AND starttime > NOW() - 86400 SECONDS ORDER BY starttime DESC

high severity medium confidence

QRadar AQL query detecting suspicious shared module (DLL) loading events from Sysmon Event ID 7 (ImageLoad). Flags DLLs loaded from temp directories, UNC paths, or by known LOLBin processes while excluding loads from trusted system directories. Correlates Sysmon data ingested via Windows log source into QRadar.

Data Sources

QRadar Windows Security DSMSysmon logs via WinCollect or Universal DSMMicrosoft Windows Security Event Log DSM

Required Tables

events (QRadar event pipeline with Sysmon DSM parsed fields)

False Positives & Tuning

Software update mechanisms that unpack DLLs to Temp before loading them (e.g., Chrome, Firefox, Windows Update components staging side-by-side assemblies)
Security tools such as EDR agents, vulnerability scanners, or DLP products that inject monitoring DLLs into processes from non-standard paths
Custom enterprise applications that load plugins or extensions from user AppData directories as part of legitimate extensibility frameworks

Download portable Sigma rule (.yml)

Other platforms for T1129

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Load DLL from Temp Directory via rundll32
Expected signal: Sysmon Event ID 7 (ImageLoad): ImageLoaded path will be %TEMP%\df00tech-test-module.dll, Image will be C:\Windows\System32\rundll32.exe. Sysmon Event ID 1 (Process Create): rundll32.exe with command line containing the Temp path. Security Event ID 4688 if command line auditing is enabled.
Test 2Load DLL via PowerShell Assembly.LoadFile from AppData
Expected signal: Sysmon Event ID 7: ImageLoaded will show AppData\Roaming\df00tech-module.dll loaded by powershell.exe. Sysmon Event ID 1: PowerShell process creation with LoadFile command. Sysmon Event ID 11: File creation of df00tech-module.dll in AppData\Roaming.
Test 3Load Shared Object from /tmp via dlopen on Linux
Expected signal: Auditd syscall events: openat(2) call to /tmp/df00tech_test_module.so from python3 process. Linux audit event type=EXECVE for gcc and python3. If using Falco or Sysdig: proc.name=python3 with fd.name=/tmp/*.so triggers shared lib load from tmp rule. Syslog entry if auditd is configured to monitor /tmp for file opens.
Test 4Regsvr32 Loading Unregistered DLL from User-Writable Path
Expected signal: Sysmon Event ID 7 (ImageLoad): ImageLoaded=C:\Windows\Temp\df00tech-reg-test.dll, Image=C:\Windows\System32\regsvr32.exe. Sysmon Event ID 1: regsvr32.exe with /s flag and the temp path. The /s flag suppresses the dialog box — this silence flag is itself a behavioral indicator used in malware deployment.
Test 5Load dylib from /tmp on macOS via Python ctypes
Expected signal: macOS Endpoint Security Framework: ES_EVENT_TYPE_NOTIFY_MMAP event for the dylib mmap into python3 process address space. Unified log (log stream --predicate 'subsystem == "com.apple.dyld"') shows dylib load from /tmp. If Jamf Protect or CrowdStrike Falcon is deployed: 'Shared Library Loaded from /tmp' detection fires.

Last updated: 2026-04-18 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1129 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Shared Modules in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1129

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Execution

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1129

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox