T1574.001 DLL Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPaths = dynamic([
  "\\AppData\\Local\\Temp\\",
  "\\AppData\\Roaming\\",
  "\\ProgramData\\",
  "\\Users\\Public\\",
  "\\Windows\\Temp\\"
]);
let KnownGoodLoaders = dynamic([
  "C:\\Windows\\System32\\",
  "C:\\Windows\\SysWOW64\\",
  "C:\\Program Files\\",
  "C:\\Program Files (x86)\\"
]);
DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where not(FolderPath has_any (KnownGoodLoaders))
| where FolderPath has_any (SuspiciousPaths)
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessIntegrityLevel in ("High", "System")
    | project DeviceId, InitiatingProcessId=ProcessId, InitiatingProcessFileName=FileName, InitiatingProcessFolderPath=FolderPath
) on DeviceId
| where InitiatingProcessFolderPath has_any ("C:\\Program Files\\", "C:\\Windows\\System32\\")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256,
         InitiatingProcessFileName, InitiatingProcessFolderPath
| sort by Timestamp desc

high severity medium confidence

Data Sources

Module: Module Load File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceImageLoadEvents DeviceProcessEvents

False Positives

Legitimate portable applications that bundle their own DLLs in AppData (e.g., some update mechanisms for Slack, Teams, or Electron apps)
Developer workstations where build artifacts and test DLLs are loaded from non-standard paths
Software installers that extract DLLs to TEMP directories during installation and immediately load them
Security or monitoring tools that load plugins from user-writable configuration directories

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
| eval ImageLoaded=lower(ImageLoaded)
| eval SuspiciousPath=if(
    match(ImageLoaded, "(\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\temp\\\\|\\\\temp\\\\)"),
    1, 0)
| eval TrustedLoader=if(
    match(lower(Image), "(c:\\\\windows\\\\system32\\\\|c:\\\\program files\\\\|c:\\\\program files \\(x86\\)\\\\)"),
    1, 0)
| where SuspiciousPath=1 AND TrustedLoader=1
| eval UnsignedDLL=if(Signed="false" OR isnull(Signed), 1, 0)
| eval MismatchedSignature=if(Signed="true" AND SignatureStatus!="Valid", 1, 0)
| table _time, host, User, Image, ImageLoaded, Signed, SignatureStatus, Hashes, UnsignedDLL, MismatchedSignature
| sort - _time

high severity medium confidence

Data Sources

Module: Module Load Sysmon Event ID 7

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate portable applications that bundle their own DLLs in AppData (e.g., Electron-based apps like Teams, Slack)
Developer workstations loading DLLs from build output directories
Software installers temporarily extracting DLLs to TEMP during installation
Security tools loading unsigned plugin DLLs from configuration directories

Elastic Security (EQL)

eql

sequence by host.id [process where event.type == "start" and (process.executable : ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Program Files\\*", "C:\\Program Files (x86)\\*") and process.token.integrity_level_name in ("high", "system"))] [library where event.type == "start" and (dll.path : ("*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*")) and not dll.path : ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Program Files\\*", "C:\\Program Files (x86)\\*") and (dll.code_signature.trusted == false or dll.code_signature.exists == false or dll.code_signature.status != "trusted")]

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Event Logs Sysmon

Required Tables

logs-endpoint.events.library-* logs-endpoint.events.process-*

False Positives

Legitimate software installers that temporarily extract and load DLLs from AppData or Temp directories during installation or self-update routines
Security tools and EDR agents that inject helper DLLs from non-standard paths as part of hooking or monitoring functionality
Development and testing environments where developers run signed executables that load locally compiled DLLs from user-writable paths

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time, sourceip, username, "ImageLoaded", "Image", "Signed", "SignatureStatus", "Hashes", LOGSOURCENAME(logsourceid) AS log_source FROM events WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%' AND QIDNAME(qid) ILIKE '%Image Load%' AND (LOWER("ImageLoaded") LIKE '%\appdata\%' OR LOWER("ImageLoaded") LIKE '%\programdata\%' OR LOWER("ImageLoaded") LIKE '%\users\public\%' OR LOWER("ImageLoaded") LIKE '%\windows\temp\%') AND (LOWER("Image") LIKE '%\windows\system32\%' OR LOWER("Image") LIKE '%\windows\syswow64\%' OR LOWER("Image") LIKE '%\program files\%') AND ("Signed" ILIKE 'false' OR "SignatureStatus" <> 'Valid') AND devicetime > (NOW() - 86400000) ORDER BY devicetime DESC LAST 10000 EVENTS

high severity medium confidence

Data Sources

Sysmon via Windows Security Event Log QRadar DSM for Microsoft Windows

Required Tables

events

False Positives

Enterprise software management tools (e.g., SCCM, Intune agents) that stage DLLs in ProgramData before loading them under a privileged context
Antivirus or DLP products that use unsigned helper modules loaded from non-standard paths during operation
Python or scripting runtimes where the interpreter (in System32 or Program Files) loads extension modules from user AppData directories

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="*sysmon*") EventID=7
| parse "<Image>*</Image>" as loader_image
| parse "<ImageLoaded>*</ImageLoaded>" as loaded_dll
| parse "<Signed>*</Signed>" as signed
| parse "<SignatureStatus>*</SignatureStatus>" as signature_status
| parse "<Hashes>*</Hashes>" as hashes
| parse "<User>*</User>" as user
| where (matches(toLowerCase(loaded_dll), ".*\\appdata\\.*") OR matches(toLowerCase(loaded_dll), ".*\\programdata\\.*") OR matches(toLowerCase(loaded_dll), ".*\\users\\public\\.*") OR matches(toLowerCase(loaded_dll), ".*\\windows\\temp\\.*"))
| where (matches(toLowerCase(loader_image), ".*\\windows\\system32\\.*") OR matches(toLowerCase(loader_image), ".*\\windows\\syswow64\\.*") OR matches(toLowerCase(loader_image), ".*\\program files.*"))
| where (signed="false" OR (signed="true" AND signature_status!="Valid"))
| eval unsigned_dll = if(signed="false", "Yes", "No")
| eval mismatched_sig = if(signed="true" AND signature_status!="Valid", "Yes", "No")
| fields _messagetime, _sourceHost, user, loader_image, loaded_dll, signed, signature_status, hashes, unsigned_dll, mismatched_sig
| sort by _messagetime desc

high severity medium confidence

Data Sources

Sysmon for Windows Windows Event Logs

Required Tables

Sysmon Event ID 7 (Image Load)

False Positives

Legitimate portable applications that store their DLL dependencies in AppData\Roaming and are launched by a process that resides in Program Files
Software update mechanisms that download and stage unsigned DLLs in Temp directories before a privileged parent process loads them
Game clients or creative software with third-party unsigned plugins loaded from user profile directories under a signed launcher process

Google Chronicle / SecOps

yaral

rule t1574_001_dll_hijacking_sideloading {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects DLL search order hijacking or side-loading where a trusted high-integrity process loads an unsigned or suspicious DLL from a user-writable path (T1574.001)"
    mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation"
    mitre_attack_technique = "T1574.001"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_MODULE_LOAD"
    $e.principal.process.file.full_path = /(?i)(\\windows\\system32\\|\\windows\\syswow64\\|\\program files)/
    (
      $e.target.file.full_path = /(?i)\\appdata\\local\\temp\\/ or
      $e.target.file.full_path = /(?i)\\appdata\\roaming\\/ or
      $e.target.file.full_path = /(?i)\\programdata\\/ or
      $e.target.file.full_path = /(?i)\\users\\public\\/ or
      $e.target.file.full_path = /(?i)\\windows\\temp\\/
    )
    not $e.target.file.full_path = /(?i)(\\windows\\system32\\|\\windows\\syswow64\\|\\program files)/
    (
      $e.target.file.pe_file.code_signature.signed = false or
      $e.target.file.pe_file.code_signature.signature_status != "SIGNATURE_VALID"
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint Telemetry Sysmon via Chronicle forwarder

Required Tables

PROCESS_MODULE_LOAD UDM events

False Positives

Enterprise deployment tools that stage self-signed or internally-signed DLLs in ProgramData before a System32 process loads them as part of a sanctioned deployment workflow
Remote monitoring and management (RMM) agents that operate from non-standard paths and load helper modules under a trusted parent process context
Browser extension mechanisms or plugin frameworks where a signed browser loads extension DLLs from user profile AppData directories

CrowdStrike LogScale (CQL)

cql

// T1574.001 - DLL Hijacking: Trusted Process Loading DLL from Suspicious Path
#event_simpleName=ClassifiedModuleLoad
| ImageFileName = /(?i)(\\AppData\\Local\\Temp\\|\\AppData\\Roaming\\|\\ProgramData\\|\\Users\\Public\\|\\Windows\\Temp\\)/
| not ImageFileName = /(?i)(\\Windows\\System32\\|\\Windows\\SysWOW64\\|\\Program Files\\|\\Program Files \(x86\)\\)/
| ProcessImageFileName = /(?i)(\\Windows\\System32\\|\\Windows\\SysWOW64\\|\\Program Files\\|\\Program Files \(x86\)\\)/
| (Signed="false" OR SignatureStatus!="Valid")
| groupBy([ComputerName, UserName, ProcessImageFileName, ImageFileName, SHA256HashData, Signed, SignatureStatus], function=[count(aid, as=load_count), collect(ImageFileName, as=loaded_dlls)])
| sort(load_count, order=desc)
| rename(field="load_count", as="DLL Load Count")
| rename(field="ProcessImageFileName", as="Loading Process")
| rename(field="ImageFileName", as="Suspicious DLL Path")
| rename(field="SHA256HashData", as="DLL SHA256")

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Falcon Prevent / Insight telemetry

Required Tables

ClassifiedModuleLoad Falcon event stream

False Positives

Vulnerability scanners or penetration testing tools run from Program Files that load test DLLs from Temp directories during authorized assessments
Legitimate software with self-update mechanisms where a trusted executable loads a freshly downloaded DLL from AppData or ProgramData before moving it to the final install location
Visual Studio or other development IDEs loading debug or extension DLLs from user-writable paths as part of normal development workflows

DLL

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections