T1574.002 DLL Side-Loading Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousLocations = dynamic([
  "\\AppData\\", "\\Temp\\", "\\ProgramData\\",
  "\\Users\\Public\\", "\\Downloads\\"
]);
DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where Signed == false or SignatureState != "SignedValid"
| where FolderPath has_any (SuspiciousLocations)
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessVersionInfoCompanyName != "" 
    | where not(FolderPath has_any ("\\AppData\\", "\\Temp\\", "\\ProgramData\\"))
    | project DeviceId, ProcessId, FileName, FolderPath, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName
) on DeviceId, $left.InitiatingProcessId == $right.ProcessId
| project Timestamp, DeviceName, AccountName,
         LoadedDLL=FileName, DLLPath=FolderPath, SHA256,
         LoadingProcess=FileName1, LoadingProcessPath=FolderPath1,
         Vendor=ProcessVersionInfoCompanyName1
| sort by Timestamp desc

high severity high confidence

Data Sources

Module: Module Load Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceImageLoadEvents DeviceProcessEvents

False Positives

Electron-based applications (Teams, Slack, VS Code) that bundle their own unsigned DLLs in AppData
Game launchers that use custom DLLs loaded from game installation directories in Program Files
Development environments that load debug DLLs from build output directories
Some enterprise software installers that extract and load DLLs from TEMP during installation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
| eval DLLPath=lower(ImageLoaded)
| eval LoaderPath=lower(Image)
| eval SuspiciousLoad=if(
    (Signed="false" OR isnull(Signed)) AND
    match(DLLPath, "(appdata|\\\\temp\\\\|programdata|users\\\\public)"),
    1, 0)
| eval TrustedProcess=if(
    match(LoaderPath, "(symantec|norton|vmware|logmein|teamviewer|anydesk|cisco|adobe|microsoft)"),
    1, 0)
| where SuspiciousLoad=1
| eval Severity=if(TrustedProcess=1, "HIGH", "MEDIUM")
| table _time, host, User, Image, ImageLoaded, Signed, SignatureStatus, Hashes, Severity
| sort - _time

high severity high confidence

Data Sources

Module: Module Load Sysmon Event ID 7

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Electron-based applications bundling unsigned dependencies in AppData (Teams, Slack, Discord)
Gaming clients loading custom DLLs from writable directories
Developer tools loading unsigned debug/instrumentation DLLs
Enterprise software that uses legitimate side-loading for plugin architectures

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5s
  [process where event.type == "start"
   and process.code_signature.exists == true
   and process.code_signature.trusted == true
   and not (process.executable like~ "*\\AppData\\*" or process.executable like~ "*\\Temp\\*" or process.executable like~ "*\\ProgramData\\*")]
  [library where event.type == "start"
   and (dll.code_signature.trusted == false or dll.code_signature.exists == false)
   and (dll.path like~ "*\\AppData\\*" or dll.path like~ "*\\Temp\\*" or dll.path like~ "*\\ProgramData\\*" or dll.path like~ "*\\Users\\Public\\*" or dll.path like~ "*\\Downloads\\*")]

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.library-* logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate software installers that extract and temporarily load DLLs from %TEMP% during installation or update processes (e.g., Adobe, Java, Microsoft updates).
Security tools or EDR agents that load unsigned helper DLLs from ProgramData as part of normal operations (e.g., CrowdStrike Falcon, Carbon Black).
Developer workstations where developers test self-compiled DLLs from local AppData or Temp directories alongside legitimate signed host applications.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "username",
  "FileName" AS loaded_dll,
  "ImageLoaded" AS dll_path,
  "Image" AS loading_process,
  "Signed",
  "SignatureStatus",
  "Hashes",
  CASE
    WHEN LOWER("Image") ILIKE ANY ('%symantec%','%norton%','%vmware%','%logmein%','%teamviewer%','%anydesk%','%cisco%','%adobe%','%microsoft%')
    THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS severity
FROM events
WHERE
  LOGSOURCETYPEID = 12 -- Windows
  AND QIDNAME(qid) ILIKE '%sysmon%'
  AND "EventID" = '7'
  AND ("Signed" = 'false' OR "Signed" IS NULL OR "SignatureStatus" != 'Valid')
  AND (
    LOWER("ImageLoaded") ILIKE '%\\appdata\\%'
    OR LOWER("ImageLoaded") ILIKE '%\\temp\\%'
    OR LOWER("ImageLoaded") ILIKE '%\\programdata\\%'
    OR LOWER("ImageLoaded") ILIKE '%\\users\\public\\%'
    OR LOWER("ImageLoaded") ILIKE '%\\downloads\\%'
  )
  AND LAST 24 HOURS
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Sysmon via Windows Event Forwarding to QRadar IBM QRadar SIEM Windows DSM

Required Tables

events

False Positives

Enterprise software deployment tools (SCCM, Intune) that stage DLL updates in ProgramData or Temp before loading them with signed binaries during patch cycles.
Legitimate productivity software like Zoom, Slack, or Teams that loads unsigned plugin DLLs from AppData during updates or feature loading.
Antivirus or endpoint protection products conducting on-access scanning that load unsigned scanning engine components from ProgramData directories.

Sumo Logic CSE

sql

(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*" OR _sourceCategory="WinEvents/Sysmon")
| where EventID = "7"
| parse field=Message "Image: *\n" as loading_process nodrop
| parse field=Message "ImageLoaded: *\n" as dll_path nodrop
| parse field=Message "Signed: *\n" as signed nodrop
| parse field=Message "SignatureStatus: *\n" as signature_status nodrop
| parse field=Message "Hashes: *\n" as hashes nodrop
| parse field=Message "User: *\n" as user nodrop
| where (signed = "false" or isnull(signed) or signature_status != "Valid")
| where (
    dll_path matches "*\\AppData\\*"
    OR dll_path matches "*\\Temp\\*"
    OR dll_path matches "*\\ProgramData\\*"
    OR dll_path matches "*\\Users\\Public\\*"
    OR dll_path matches "*\\Downloads\\*"
  )
| eval loading_process_lower = toLowerCase(loading_process)
| eval severity = if(
    loading_process_lower matches "*(symantec|norton|vmware|logmein|teamviewer|anydesk|cisco|adobe|microsoft)*",
    "HIGH", "MEDIUM"
  )
| count as load_count by _sourceHost, user, loading_process, dll_path, signed, hashes, severity
| sort by load_count desc

high severity medium confidence

Data Sources

Sysmon operational logs via Sumo Logic Windows agent Windows Event Log collector for Sysmon/Operational channel

Required Tables

Sysmon Event ID 7 (ImageLoaded) logs

False Positives

Trusted enterprise applications like Oracle JRE or SAP that extract and load unsigned JNI/helper DLLs into user-specific AppData directories as part of normal startup.
Game clients (Steam, Epic Games Launcher) that load unsigned DLLs from local AppData paths during game updates or anti-cheat initialization.
Custom in-house enterprise applications built without code signing that are loaded alongside signed Microsoft or third-party runtime hosts.

Google Chronicle / SecOps

yaral

rule dll_side_loading_suspicious_path {
  meta:
    author = "Detection Engineering"
    description = "Detects DLL side-loading: a signed, trusted process loading an unsigned or untrusted DLL from a user-writable suspicious directory path."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation"
    mitre_attack_technique = "T1574.002"
    reference = "https://attack.mitre.org/techniques/T1574/002/"

  events:
    $load.metadata.event_type = "PROCESS_MODULE_LOAD"
    $load.principal.hostname = $hostname
    $load.target.file.full_path = $dll_path
    (
      $load.target.file.pe_file.signature_info.check_status != "SIGNATURE_CHECK_STATUS_VERIFIED"
      or
      re.regex($load.target.file.full_path, `(?i)(\\appdata\\|\\temp\\|\\programdata\\|\\users\\public\\|\\downloads\\)`)
    )
    re.regex($load.target.file.full_path, `(?i)(\\appdata\\|\\temp\\|\\programdata\\|\\users\\public\\|\\downloads\\)`)

    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname = $hostname
    $proc.target.process.file.full_path = $loader_path
    $proc.target.file.pe_file.signature_info.check_status = "SIGNATURE_CHECK_STATUS_VERIFIED"
    not re.regex($proc.target.process.file.full_path, `(?i)(\\appdata\\|\\temp\\|\\programdata\\)`)

    $load.principal.process.pid = $proc.target.process.pid

  match:
    $hostname over 5m

  outcome:
    $risk_score = if(
      re.regex($loader_path, `(?i)(symantec|norton|vmware|logmein|teamviewer|anydesk|cisco|adobe|microsoft)`),
      95, 75
    )
    $summary = array_distinct($dll_path)

  condition:
    $load and $proc
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Endpoint telemetry via Chronicle forwarder Microsoft Defender for Endpoint events via Chronicle ingestion

Required Tables

PROCESS_LAUNCH UDM events PROCESS_MODULE_LOAD UDM events

False Positives

Security vendor software (e.g., Trend Micro, McAfee) that legitimately loads unsigned component DLLs from ProgramData sub-directories during real-time protection operations.
Automated software update mechanisms for large enterprise vendors (e.g., SAP, Oracle) that stage new unsigned DLL versions in Temp or ProgramData before swapping them in under a signed host process.
Developer build and test environments where developers intentionally place test DLLs alongside signed SDK or runtime host binaries in writable directories.

CrowdStrike LogScale (CQL)

cql

// DLL Side-Loading: Signed process loading unsigned DLL from suspicious writable path
#event_simpleName = "ClassifiedModuleLoad"
| ImageFileName = /(?i)(\\AppData\\|\\Temp\\|\\ProgramData\\|\\Users\\Public\\|\\Downloads\\)/
| in(field=ImageSigned, values=["0", "false", "FALSE"])
| join(
    { #event_simpleName = "ProcessRollup2"
      | ProcessSignatureLevel != "0"
      | ProcessSignatureLevel != null
      | not ImageFileName = /(?i)(\\AppData\\|\\Temp\\|\\ProgramData\\)/
      | rename(field="TargetProcessId", as="JoinProcessId")
      | rename(field="ImageFileName", as="LoaderImageFileName")
      | rename(field="SHA256HashData", as="LoaderSHA256")
      | rename(field="CommandLine", as="LoaderCommandLine")
    },
    field=ContextProcessId,
    key=JoinProcessId,
    kind=inner
  )
| eval severity = if(
    LoaderImageFileName = /(?i)(symantec|norton|vmware|logmein|teamviewer|anydesk|cisco|adobe|microsoft)/,
    "HIGH", "MEDIUM"
  )
| table(
    [@timestamp, ComputerName, UserName,
     ImageFileName, SHA256HashData,
     LoaderImageFileName, LoaderCommandLine, LoaderSHA256,
     ImageSigned, ImageSigningInfo, severity]
  )
| sort(@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint sensor (module load telemetry) CrowdStrike Falcon LogScale (Humio) via Falcon Data Replicator

Required Tables

ClassifiedModuleLoad Falcon events ProcessRollup2 Falcon events

False Positives

CrowdStrike Falcon sensor itself or other EDR products that inject unsigned monitoring DLLs into signed host processes as part of their normal hooking or telemetry collection operations.
Legitimate in-house enterprise tools built with unsigned DLL components that are invoked alongside signed Microsoft runtime hosts (e.g., dotnet.exe, msiexec.exe) during business automation.
Software packaging tools (NSIS, Inno Setup) that load unsigned payload DLLs from Temp during legitimate installation sequences triggered by signed installer wrappers.

DLL Side-Loading

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections