Detect DLL in Splunk
Adversaries may abuse dynamic-link library (DLL) mechanisms to achieve persistence, privilege escalation, and defense evasion. Techniques include DLL search order hijacking (planting a malicious DLL earlier in the search path), DLL side-loading (placing a malicious DLL alongside a legitimate signed executable), phantom DLL hijacking (targeting references to non-existent DLLs), DLL substitution (replacing a valid DLL), and DLL redirection (using .manifest or .local files). Groups including Chimera, TONESHELL/Mustang Panda, Velvet Ant, APT41, and Aquatic Panda have extensively used these techniques to load malicious payloads under trusted process contexts.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.001 DLL
- Canonical reference
- https://attack.mitre.org/techniques/T1574/001/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
| eval ImageLoaded=lower(ImageLoaded)
| eval SuspiciousPath=if(
match(ImageLoaded, "(\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\temp\\\\|\\\\temp\\\\)"),
1, 0)
| eval TrustedLoader=if(
match(lower(Image), "(c:\\\\windows\\\\system32\\\\|c:\\\\program files\\\\|c:\\\\program files \\(x86\\)\\\\)"),
1, 0)
| where SuspiciousPath=1 AND TrustedLoader=1
| eval UnsignedDLL=if(Signed="false" OR isnull(Signed), 1, 0)
| eval MismatchedSignature=if(Signed="true" AND SignatureStatus!="Valid", 1, 0)
| table _time, host, User, Image, ImageLoaded, Signed, SignatureStatus, Hashes, UnsignedDLL, MismatchedSignature
| sort - _timeDetects DLL hijacking using Sysmon Event ID 7 (ImageLoad). Identifies cases where a trusted executable (System32, Program Files) loads a DLL from a suspicious user-writable path. Additionally flags unsigned DLLs and DLLs with invalid signatures, which are strong indicators of malicious DLL planting.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate portable applications that bundle their own DLLs in AppData (e.g., Electron-based apps like Teams, Slack)
- Developer workstations loading DLLs from build output directories
- Software installers temporarily extracting DLLs to TEMP during installation
- Security tools loading unsigned plugin DLLs from configuration directories
Other platforms for T1574.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DLL Search Order Hijacking via Phantom DLL
Expected signal: Sysmon Event ID 11 (FileCreate): Target file path containing 'dll-hijack-test\cryptsp.dll'. Sysmon Event ID 7 (ImageLoad) if the DLL is loaded. Process creation events showing calc.exe running from a non-standard path.
- Test 2DLL Side-Loading with Legitimate Signed Binary
Expected signal: Sysmon Event ID 11 (FileCreate): Legitimate executable copied to TEMP directory. Sysmon Event ID 1 (Process Create): Process launched from TEMP instead of its legitimate System32 home. File creation events in the temp directory.
- Test 3DLL Redirection via .local File
Expected signal: Sysmon Event ID 11 (FileCreate): .local file created alongside a legitimate executable copy. The presence of [executable].local causes Windows to prioritize the application's directory for all DLL searches, enabling DLL hijacking of any DLL that calc.exe imports.
References (7)
- https://attack.mitre.org/techniques/T1574/001/
- https://unit42.paloaltonetworks.com/dll-hijacking-techniques/
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md
- https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order
Unlock Pro Content
Get the full detection package for T1574.001 including response playbook, investigation guide, and atomic red team tests.