Detect DLL Side-Loading in Elastic Security
Adversaries execute malicious payloads by placing a malicious DLL alongside a legitimate, often digitally-signed, application and then invoking that application. Unlike passive DLL search order hijacking (which waits for a victim to run an application), DLL side-loading is active: the adversary both plants the DLL and triggers the legitimate executable. This allows malicious code to run under the cover of a trusted process signature. Common victim executables include security tools, game clients, and enterprise software (e.g., VMware, Symantec, LogMeIn). Widely used by APT groups including MuddyWater, Mustang Panda/TONESHELL, Cobalt Strike operators, and numerous others.
MITRE ATT&CK
- Canonical reference
- https://attack.mitre.org/techniques/T1574/002/
Elastic Detection Query
sequence by host.id with maxspan=5s
[process where event.type == "start"
and process.code_signature.exists == true
and process.code_signature.trusted == true
and not (process.executable like~ "*\\AppData\\*" or process.executable like~ "*\\Temp\\*" or process.executable like~ "*\\ProgramData\\*")]
[library where event.type == "start"
and (dll.code_signature.trusted == false or dll.code_signature.exists == false)
and (dll.path like~ "*\\AppData\\*" or dll.path like~ "*\\Temp\\*" or dll.path like~ "*\\ProgramData\\*" or dll.path like~ "*\\Users\\Public\\*" or dll.path like~ "*\\Downloads\\*")]Detects DLL side-loading by correlating a trusted, signed process loading an unsigned or untrusted DLL from a suspicious user-writable directory. Uses EQL sequence to link the process start event with the subsequent image load event on the same host within a 5-second window.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers that extract and temporarily load DLLs from %TEMP% during installation or update processes (e.g., Adobe, Java, Microsoft updates).
- Security tools or EDR agents that load unsigned helper DLLs from ProgramData as part of normal operations (e.g., CrowdStrike Falcon, Carbon Black).
- Developer workstations where developers test self-compiled DLLs from local AppData or Temp directories alongside legitimate signed host applications.
Other platforms for T1574.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DLL Side-Loading via Renamed Legitimate Binary
Expected signal: Sysmon Event ID 11 (FileCreate): Both csc.exe and clrjit.dll created in same TEMP subdirectory within short timeframe. Sysmon Event ID 7 (ImageLoad): if csc.exe is executed, clrjit.dll would be loaded from the local directory first. DeviceFileEvents shows EXE+DLL creation in same writable path.
- Test 2Abusing VMware Binary for Side-Loading (Simulation)
Expected signal: Sysmon Event ID 11 (FileCreate): DLL created in user-writable TEMP location. DeviceFileEvents captures file creation event with SHA256 hash of the dummy DLL.
- Test 3PowerShell Verification of DLL Search Order
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe spawned with command enumerating PATH environment variable. PowerShell ScriptBlock Logging Event ID 4104 records the full script. No DLL loading events generated.
References (5)
- https://attack.mitre.org/techniques/T1574/002/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
- https://unit42.paloaltonetworks.com/dll-hijacking-techniques/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md
- https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
Unlock Pro Content
Get the full detection package for T1574.002 including response playbook, investigation guide, and atomic red team tests.