T1574.002 CrowdStrike LogScale · LogScale

Detect DLL Side-Loading in CrowdStrike LogScale

Adversaries execute malicious payloads by placing a malicious DLL alongside a legitimate, often digitally-signed, application and then invoking that application. Unlike passive DLL search order hijacking (which waits for a victim to run an application), DLL side-loading is active: the adversary both plants the DLL and triggers the legitimate executable. This allows malicious code to run under the cover of a trusted process signature. Common victim executables include security tools, game clients, and enterprise software (e.g., VMware, Symantec, LogMeIn). Widely used by APT groups including MuddyWater, Mustang Panda/TONESHELL, Cobalt Strike operators, and numerous others.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Canonical reference
https://attack.mitre.org/techniques/T1574/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// DLL Side-Loading: Signed process loading unsigned DLL from suspicious writable path
#event_simpleName = "ClassifiedModuleLoad"
| ImageFileName = /(?i)(\\AppData\\|\\Temp\\|\\ProgramData\\|\\Users\\Public\\|\\Downloads\\)/
| in(field=ImageSigned, values=["0", "false", "FALSE"])
| join(
    { #event_simpleName = "ProcessRollup2"
      | ProcessSignatureLevel != "0"
      | ProcessSignatureLevel != null
      | not ImageFileName = /(?i)(\\AppData\\|\\Temp\\|\\ProgramData\\)/
      | rename(field="TargetProcessId", as="JoinProcessId")
      | rename(field="ImageFileName", as="LoaderImageFileName")
      | rename(field="SHA256HashData", as="LoaderSHA256")
      | rename(field="CommandLine", as="LoaderCommandLine")
    },
    field=ContextProcessId,
    key=JoinProcessId,
    kind=inner
  )
| eval severity = if(
    LoaderImageFileName = /(?i)(symantec|norton|vmware|logmein|teamviewer|anydesk|cisco|adobe|microsoft)/,
    "HIGH", "MEDIUM"
  )
| table(
    [@timestamp, ComputerName, UserName,
     ImageFileName, SHA256HashData,
     LoaderImageFileName, LoaderCommandLine, LoaderSHA256,
     ImageSigned, ImageSigningInfo, severity]
  )
| sort(@timestamp, order=desc)
high severity medium confidence

Detects DLL side-loading in CrowdStrike Falcon using ClassifiedModuleLoad events joined with ProcessRollup2 to correlate unsigned DLL loads from writable suspicious paths with signed or trusted parent loader processes. Severity is elevated when the loading process matches known legitimate vendor executables frequently targeted for side-loading by APT groups.

Data Sources

CrowdStrike Falcon Endpoint sensor (module load telemetry)CrowdStrike Falcon LogScale (Humio) via Falcon Data Replicator

Required Tables

ClassifiedModuleLoad Falcon eventsProcessRollup2 Falcon events

False Positives & Tuning

  • CrowdStrike Falcon sensor itself or other EDR products that inject unsigned monitoring DLLs into signed host processes as part of their normal hooking or telemetry collection operations.
  • Legitimate in-house enterprise tools built with unsigned DLL components that are invoked alongside signed Microsoft runtime hosts (e.g., dotnet.exe, msiexec.exe) during business automation.
  • Software packaging tools (NSIS, Inno Setup) that load unsigned payload DLLs from Temp during legitimate installation sequences triggered by signed installer wrappers.
Download portable Sigma rule (.yml)

Other platforms for T1574.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DLL Side-Loading via Renamed Legitimate Binary

    Expected signal: Sysmon Event ID 11 (FileCreate): Both csc.exe and clrjit.dll created in same TEMP subdirectory within short timeframe. Sysmon Event ID 7 (ImageLoad): if csc.exe is executed, clrjit.dll would be loaded from the local directory first. DeviceFileEvents shows EXE+DLL creation in same writable path.

  2. Test 2Abusing VMware Binary for Side-Loading (Simulation)

    Expected signal: Sysmon Event ID 11 (FileCreate): DLL created in user-writable TEMP location. DeviceFileEvents captures file creation event with SHA256 hash of the dummy DLL.

  3. Test 3PowerShell Verification of DLL Search Order

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe spawned with command enumerating PATH environment variable. PowerShell ScriptBlock Logging Event ID 4104 records the full script. No DLL loading events generated.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1574.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.001DLLT1036.005Match Legitimate Resource Name or LocationT1055Process InjectionT1105Ingress Tool TransferT1566PhishingT1204.002Malicious FileT1070.006Timestomp

Same Tactic: Persistence

Popular Detections