T1574.002 Microsoft Sentinel · KQL

Detect DLL Side-Loading in Microsoft Sentinel

Adversaries execute malicious payloads by placing a malicious DLL alongside a legitimate, often digitally-signed, application and then invoking that application. Unlike passive DLL search order hijacking (which waits for a victim to run an application), DLL side-loading is active: the adversary both plants the DLL and triggers the legitimate executable. This allows malicious code to run under the cover of a trusted process signature. Common victim executables include security tools, game clients, and enterprise software (e.g., VMware, Symantec, LogMeIn). Widely used by APT groups including MuddyWater, Mustang Panda/TONESHELL, Cobalt Strike operators, and numerous others.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Canonical reference
https://attack.mitre.org/techniques/T1574/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousLocations = dynamic([
  "\\AppData\\", "\\Temp\\", "\\ProgramData\\",
  "\\Users\\Public\\", "\\Downloads\\"
]);
DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where Signed == false or SignatureState != "SignedValid"
| where FolderPath has_any (SuspiciousLocations)
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessVersionInfoCompanyName != "" 
    | where not(FolderPath has_any ("\\AppData\\", "\\Temp\\", "\\ProgramData\\"))
    | project DeviceId, ProcessId, FileName, FolderPath, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName
) on DeviceId, $left.InitiatingProcessId == $right.ProcessId
| project Timestamp, DeviceName, AccountName,
         LoadedDLL=FileName, DLLPath=FolderPath, SHA256,
         LoadingProcess=FileName1, LoadingProcessPath=FolderPath1,
         Vendor=ProcessVersionInfoCompanyName1
| sort by Timestamp desc
high severity high confidence

Detects DLL side-loading by identifying unsigned or invalidly-signed DLLs loaded from user-writable paths by legitimate vendor-branded processes. The key indicator is a mismatch: a process with a legitimate company name (from PE version info) loading an unsigned or untrusted DLL from a suspicious path. This pattern is characteristic of side-loading where the threat actor copies a legitimate vendor binary to a staging directory alongside a malicious DLL.

Data Sources

Module: Module LoadProcess: Process CreationMicrosoft Defender for Endpoint

Required Tables

DeviceImageLoadEventsDeviceProcessEvents

False Positives & Tuning

  • Electron-based applications (Teams, Slack, VS Code) that bundle their own unsigned DLLs in AppData
  • Game launchers that use custom DLLs loaded from game installation directories in Program Files
  • Development environments that load debug DLLs from build output directories
  • Some enterprise software installers that extract and load DLLs from TEMP during installation
Download portable Sigma rule (.yml)

Other platforms for T1574.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DLL Side-Loading via Renamed Legitimate Binary

    Expected signal: Sysmon Event ID 11 (FileCreate): Both csc.exe and clrjit.dll created in same TEMP subdirectory within short timeframe. Sysmon Event ID 7 (ImageLoad): if csc.exe is executed, clrjit.dll would be loaded from the local directory first. DeviceFileEvents shows EXE+DLL creation in same writable path.

  2. Test 2Abusing VMware Binary for Side-Loading (Simulation)

    Expected signal: Sysmon Event ID 11 (FileCreate): DLL created in user-writable TEMP location. DeviceFileEvents captures file creation event with SHA256 hash of the dummy DLL.

  3. Test 3PowerShell Verification of DLL Search Order

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe spawned with command enumerating PATH environment variable. PowerShell ScriptBlock Logging Event ID 4104 records the full script. No DLL loading events generated.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1574.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.001DLLT1036.005Match Legitimate Resource Name or LocationT1055Process InjectionT1105Ingress Tool TransferT1566PhishingT1204.002Malicious FileT1070.006Timestomp

Same Tactic: Persistence

Popular Detections