T1574.002 IBM QRadar · QRadar

Detect DLL Side-Loading in IBM QRadar

Adversaries execute malicious payloads by placing a malicious DLL alongside a legitimate, often digitally-signed, application and then invoking that application. Unlike passive DLL search order hijacking (which waits for a victim to run an application), DLL side-loading is active: the adversary both plants the DLL and triggers the legitimate executable. This allows malicious code to run under the cover of a trusted process signature. Common victim executables include security tools, game clients, and enterprise software (e.g., VMware, Symantec, LogMeIn). Widely used by APT groups including MuddyWater, Mustang Panda/TONESHELL, Cobalt Strike operators, and numerous others.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Canonical reference
https://attack.mitre.org/techniques/T1574/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "username",
  "FileName" AS loaded_dll,
  "ImageLoaded" AS dll_path,
  "Image" AS loading_process,
  "Signed",
  "SignatureStatus",
  "Hashes",
  CASE
    WHEN LOWER("Image") ILIKE ANY ('%symantec%','%norton%','%vmware%','%logmein%','%teamviewer%','%anydesk%','%cisco%','%adobe%','%microsoft%')
    THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS severity
FROM events
WHERE
  LOGSOURCETYPEID = 12 -- Windows
  AND QIDNAME(qid) ILIKE '%sysmon%'
  AND "EventID" = '7'
  AND ("Signed" = 'false' OR "Signed" IS NULL OR "SignatureStatus" != 'Valid')
  AND (
    LOWER("ImageLoaded") ILIKE '%\\appdata\\%'
    OR LOWER("ImageLoaded") ILIKE '%\\temp\\%'
    OR LOWER("ImageLoaded") ILIKE '%\\programdata\\%'
    OR LOWER("ImageLoaded") ILIKE '%\\users\\public\\%'
    OR LOWER("ImageLoaded") ILIKE '%\\downloads\\%'
  )
  AND LAST 24 HOURS
ORDER BY devicetime DESC
high severity medium confidence

Detects DLL side-loading activity using Sysmon Event ID 7 (ImageLoad) forwarded to QRadar. Identifies unsigned DLLs loaded from user-writable suspicious directories and elevates severity when the loading process matches known legitimate vendor executables that are commonly abused for side-loading.

Data Sources

Sysmon via Windows Event Forwarding to QRadarIBM QRadar SIEM Windows DSM

Required Tables

events

False Positives & Tuning

  • Enterprise software deployment tools (SCCM, Intune) that stage DLL updates in ProgramData or Temp before loading them with signed binaries during patch cycles.
  • Legitimate productivity software like Zoom, Slack, or Teams that loads unsigned plugin DLLs from AppData during updates or feature loading.
  • Antivirus or endpoint protection products conducting on-access scanning that load unsigned scanning engine components from ProgramData directories.
Download portable Sigma rule (.yml)

Other platforms for T1574.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DLL Side-Loading via Renamed Legitimate Binary

    Expected signal: Sysmon Event ID 11 (FileCreate): Both csc.exe and clrjit.dll created in same TEMP subdirectory within short timeframe. Sysmon Event ID 7 (ImageLoad): if csc.exe is executed, clrjit.dll would be loaded from the local directory first. DeviceFileEvents shows EXE+DLL creation in same writable path.

  2. Test 2Abusing VMware Binary for Side-Loading (Simulation)

    Expected signal: Sysmon Event ID 11 (FileCreate): DLL created in user-writable TEMP location. DeviceFileEvents captures file creation event with SHA256 hash of the dummy DLL.

  3. Test 3PowerShell Verification of DLL Search Order

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe spawned with command enumerating PATH environment variable. PowerShell ScriptBlock Logging Event ID 4104 records the full script. No DLL loading events generated.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1574.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.001DLLT1036.005Match Legitimate Resource Name or LocationT1055Process InjectionT1105Ingress Tool TransferT1566PhishingT1204.002Malicious FileT1070.006Timestomp

Same Tactic: Persistence

Popular Detections