T1129 Sumo Logic CSE · Sumo

Detect Shared Modules in Sumo Logic CSE

Adversaries may execute malicious payloads by loading shared modules into running processes. Shared modules are executable files (DLLs on Windows, .so on Linux, .dylib on macOS) loaded at runtime to provide reusable code or access OS API functions. Adversaries abuse this by loading malicious shared objects from arbitrary local paths or UNC network paths, allowing payload execution within the memory space of a legitimate host process. Windows uses LoadLibrary/LoadLibraryEx (via NTDLL.dll Native API), Linux uses dlopen/dlsym from dlfcn.h, and macOS uses both dlopen and Objective-C runtime calls. This technique enables modular malware architectures where the main dropper loads additional capability modules — seen in gh0st RAT, Astaroth, RotaJakiro, FoggyWeb, and BLINDINGCAN.

MITRE ATT&CK

Tactic
Execution
Technique
T1129 Shared Modules
Canonical reference
https://attack.mitre.org/techniques/T1129/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon EventCode=7
| parse "<ImageLoaded>*</ImageLoaded>" as ImageLoaded nodrop
| parse "<Image>*</Image>" as LoaderProcess nodrop
| parse "<Signed>*</Signed>" as Signed nodrop
| parse "<SignatureStatus>*</SignatureStatus>" as SignatureStatus nodrop
| parse "<Hashes>*</Hashes>" as Hashes nodrop
| parse "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse "<User>*</User>" as User nodrop
| where toLowerCase(ImageLoaded) matches "*.dll"
| eval ImageLower = toLowerCase(ImageLoaded)
| eval ProcessLower = toLowerCase(LoaderProcess)
| eval IsTempPath = if(ImageLower matches "*\\appdata\\local\\temp\\*" OR ImageLower matches "*\\appdata\\roaming\\*" OR ImageLower matches "*\\windows\\temp\\*" OR ImageLower matches "*\\users\\public\\*" OR ImageLower matches "c:\\temp\\*" OR ImageLower matches "c:\\tmp\\*" OR ImageLower matches "*\\downloads\\*", 1, 0)
| eval IsUNCPath = if(ImageLower matches "\\\\*", 1, 0)
| eval IsSuspiciousLoader = if(ProcessLower matches "*\\rundll32.exe" OR ProcessLower matches "*\\regsvr32.exe" OR ProcessLower matches "*\\mshta.exe" OR ProcessLower matches "*\\wscript.exe" OR ProcessLower matches "*\\cscript.exe" OR ProcessLower matches "*\\msbuild.exe" OR ProcessLower matches "*\\installutil.exe", 1, 0)
| eval IsKnownGoodDir = if(ImageLower matches "*\\windows\\system32\\*" OR ImageLower matches "*\\windows\\syswow64\\*" OR ImageLower matches "*\\windows\\winsxs\\*" OR ImageLower matches "*\\program files\\*", 1, 0)
| eval IsUnsigned = if(Signed = "false" OR Signed = "", 1, 0)
| eval SuspicionScore = IsTempPath + IsUNCPath + (IsSuspiciousLoader * (1 - IsKnownGoodDir)) + IsUnsigned
| where SuspicionScore >= 1 AND IsKnownGoodDir = 0
| fields _messageTime, _sourceHost, User, LoaderProcess, CommandLine, ImageLoaded, Signed, SignatureStatus, Hashes, IsTempPath, IsUNCPath, IsSuspiciousLoader, IsUnsigned, SuspicionScore
| sort by SuspicionScore, _messageTime
high severity high confidence

Sumo Logic CSE query detecting T1129 shared module abuse via Sysmon Event ID 7 (Image Loaded). Parses XML Sysmon events to evaluate DLL load paths against suspicious directories, UNC paths, and known LOLBin loader processes. Computes a suspicion score to prioritize high-confidence events while suppressing known-good system directory loads.

Data Sources

Sumo Logic Windows Sysmon Source (XML event format)Sumo Logic Installed Collector with Windows Event Log SourceSumo Logic Cloud-to-Cloud Microsoft 365 Defender source

Required Tables

_sourceCategory=windows/sysmonSysmon Operational Event Log (EventCode=7)

False Positives & Tuning

  • Managed software deployment via PDQ Deploy, Ansible, or similar tools that temporarily place DLLs in staging directories accessible to running processes before installation completes
  • Browser extension or plugin frameworks (e.g., legacy NPAPI plugins, COM add-ins) that load shared libraries from user-profile locations as part of sandboxed execution
  • Penetration testing or red team tooling run by authorized staff loading reflective DLLs from temp directories during sanctioned assessments
Download portable Sigma rule (.yml)

Other platforms for T1129

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Load DLL from Temp Directory via rundll32

    Expected signal: Sysmon Event ID 7 (ImageLoad): ImageLoaded path will be %TEMP%\df00tech-test-module.dll, Image will be C:\Windows\System32\rundll32.exe. Sysmon Event ID 1 (Process Create): rundll32.exe with command line containing the Temp path. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2Load DLL via PowerShell Assembly.LoadFile from AppData

    Expected signal: Sysmon Event ID 7: ImageLoaded will show AppData\Roaming\df00tech-module.dll loaded by powershell.exe. Sysmon Event ID 1: PowerShell process creation with LoadFile command. Sysmon Event ID 11: File creation of df00tech-module.dll in AppData\Roaming.

  3. Test 3Load Shared Object from /tmp via dlopen on Linux

    Expected signal: Auditd syscall events: openat(2) call to /tmp/df00tech_test_module.so from python3 process. Linux audit event type=EXECVE for gcc and python3. If using Falco or Sysdig: proc.name=python3 with fd.name=/tmp/*.so triggers shared lib load from tmp rule. Syslog entry if auditd is configured to monitor /tmp for file opens.

  4. Test 4Regsvr32 Loading Unregistered DLL from User-Writable Path

    Expected signal: Sysmon Event ID 7 (ImageLoad): ImageLoaded=C:\Windows\Temp\df00tech-reg-test.dll, Image=C:\Windows\System32\regsvr32.exe. Sysmon Event ID 1: regsvr32.exe with /s flag and the temp path. The /s flag suppresses the dialog box — this silence flag is itself a behavioral indicator used in malware deployment.

  5. Test 5Load dylib from /tmp on macOS via Python ctypes

    Expected signal: macOS Endpoint Security Framework: ES_EVENT_TYPE_NOTIFY_MMAP event for the dylib mmap into python3 process address space. Unified log (log stream --predicate 'subsystem == "com.apple.dyld"') shows dylib load from /tmp. If Jamf Protect or CrowdStrike Falcon is deployed: 'Shared Library Loaded from /tmp' detection fires.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1129 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1574.001DLLT1574.002DLL Side-LoadingT1055Process InjectionT1106Native APIT1059.001PowerShellT1218.011Rundll32T1218.010Regsvr32T1027Obfuscated Files or InformationT1140Deobfuscate/Decode Files or InformationT1105Ingress Tool Transfer

Same Tactic: Execution

Popular Detections