Detect DLL Side-Loading in Google Chronicle
Adversaries execute malicious payloads by placing a malicious DLL alongside a legitimate, often digitally-signed, application and then invoking that application. Unlike passive DLL search order hijacking (which waits for a victim to run an application), DLL side-loading is active: the adversary both plants the DLL and triggers the legitimate executable. This allows malicious code to run under the cover of a trusted process signature. Common victim executables include security tools, game clients, and enterprise software (e.g., VMware, Symantec, LogMeIn). Widely used by APT groups including MuddyWater, Mustang Panda/TONESHELL, Cobalt Strike operators, and numerous others.
MITRE ATT&CK
- Canonical reference
- https://attack.mitre.org/techniques/T1574/002/
YARA-L Detection Query
rule dll_side_loading_suspicious_path {
meta:
author = "Detection Engineering"
description = "Detects DLL side-loading: a signed, trusted process loading an unsigned or untrusted DLL from a user-writable suspicious directory path."
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation"
mitre_attack_technique = "T1574.002"
reference = "https://attack.mitre.org/techniques/T1574/002/"
events:
$load.metadata.event_type = "PROCESS_MODULE_LOAD"
$load.principal.hostname = $hostname
$load.target.file.full_path = $dll_path
(
$load.target.file.pe_file.signature_info.check_status != "SIGNATURE_CHECK_STATUS_VERIFIED"
or
re.regex($load.target.file.full_path, `(?i)(\\appdata\\|\\temp\\|\\programdata\\|\\users\\public\\|\\downloads\\)`)
)
re.regex($load.target.file.full_path, `(?i)(\\appdata\\|\\temp\\|\\programdata\\|\\users\\public\\|\\downloads\\)`)
$proc.metadata.event_type = "PROCESS_LAUNCH"
$proc.principal.hostname = $hostname
$proc.target.process.file.full_path = $loader_path
$proc.target.file.pe_file.signature_info.check_status = "SIGNATURE_CHECK_STATUS_VERIFIED"
not re.regex($proc.target.process.file.full_path, `(?i)(\\appdata\\|\\temp\\|\\programdata\\)`)
$load.principal.process.pid = $proc.target.process.pid
match:
$hostname over 5m
outcome:
$risk_score = if(
re.regex($loader_path, `(?i)(symantec|norton|vmware|logmein|teamviewer|anydesk|cisco|adobe|microsoft)`),
95, 75
)
$summary = array_distinct($dll_path)
condition:
$load and $proc
}Chronicle YARA-L 2.0 rule that correlates a verified signed process launch event with a subsequent unsigned DLL module load event from a suspicious writable path on the same host within a 5-minute window. Elevates risk score when the loading process matches known vendor names commonly abused for side-loading.
Data Sources
Required Tables
False Positives & Tuning
- Security vendor software (e.g., Trend Micro, McAfee) that legitimately loads unsigned component DLLs from ProgramData sub-directories during real-time protection operations.
- Automated software update mechanisms for large enterprise vendors (e.g., SAP, Oracle) that stage new unsigned DLL versions in Temp or ProgramData before swapping them in under a signed host process.
- Developer build and test environments where developers intentionally place test DLLs alongside signed SDK or runtime host binaries in writable directories.
Other platforms for T1574.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DLL Side-Loading via Renamed Legitimate Binary
Expected signal: Sysmon Event ID 11 (FileCreate): Both csc.exe and clrjit.dll created in same TEMP subdirectory within short timeframe. Sysmon Event ID 7 (ImageLoad): if csc.exe is executed, clrjit.dll would be loaded from the local directory first. DeviceFileEvents shows EXE+DLL creation in same writable path.
- Test 2Abusing VMware Binary for Side-Loading (Simulation)
Expected signal: Sysmon Event ID 11 (FileCreate): DLL created in user-writable TEMP location. DeviceFileEvents captures file creation event with SHA256 hash of the dummy DLL.
- Test 3PowerShell Verification of DLL Search Order
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe spawned with command enumerating PATH environment variable. PowerShell ScriptBlock Logging Event ID 4104 records the full script. No DLL loading events generated.
References (5)
- https://attack.mitre.org/techniques/T1574/002/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
- https://unit42.paloaltonetworks.com/dll-hijacking-techniques/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md
- https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
Unlock Pro Content
Get the full detection package for T1574.002 including response playbook, investigation guide, and atomic red team tests.