Detect DLL Side-Loading in Splunk
Adversaries execute malicious payloads by placing a malicious DLL alongside a legitimate, often digitally-signed, application and then invoking that application. Unlike passive DLL search order hijacking (which waits for a victim to run an application), DLL side-loading is active: the adversary both plants the DLL and triggers the legitimate executable. This allows malicious code to run under the cover of a trusted process signature. Common victim executables include security tools, game clients, and enterprise software (e.g., VMware, Symantec, LogMeIn). Widely used by APT groups including MuddyWater, Mustang Panda/TONESHELL, Cobalt Strike operators, and numerous others.
MITRE ATT&CK
- Canonical reference
- https://attack.mitre.org/techniques/T1574/002/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
| eval DLLPath=lower(ImageLoaded)
| eval LoaderPath=lower(Image)
| eval SuspiciousLoad=if(
(Signed="false" OR isnull(Signed)) AND
match(DLLPath, "(appdata|\\\\temp\\\\|programdata|users\\\\public)"),
1, 0)
| eval TrustedProcess=if(
match(LoaderPath, "(symantec|norton|vmware|logmein|teamviewer|anydesk|cisco|adobe|microsoft)"),
1, 0)
| where SuspiciousLoad=1
| eval Severity=if(TrustedProcess=1, "HIGH", "MEDIUM")
| table _time, host, User, Image, ImageLoaded, Signed, SignatureStatus, Hashes, Severity
| sort - _timeDetects DLL side-loading using Sysmon EventCode 7 (ImageLoad). Flags unsigned or untrusted DLLs loaded from suspicious user-writable directories. Elevates severity when the loading process matches known vendor software names commonly abused for side-loading (security vendors, remote access tools, collaboration software). These are prime targets because they often run with elevated privileges and are trusted by security products.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Electron-based applications bundling unsigned dependencies in AppData (Teams, Slack, Discord)
- Gaming clients loading custom DLLs from writable directories
- Developer tools loading unsigned debug/instrumentation DLLs
- Enterprise software that uses legitimate side-loading for plugin architectures
Other platforms for T1574.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DLL Side-Loading via Renamed Legitimate Binary
Expected signal: Sysmon Event ID 11 (FileCreate): Both csc.exe and clrjit.dll created in same TEMP subdirectory within short timeframe. Sysmon Event ID 7 (ImageLoad): if csc.exe is executed, clrjit.dll would be loaded from the local directory first. DeviceFileEvents shows EXE+DLL creation in same writable path.
- Test 2Abusing VMware Binary for Side-Loading (Simulation)
Expected signal: Sysmon Event ID 11 (FileCreate): DLL created in user-writable TEMP location. DeviceFileEvents captures file creation event with SHA256 hash of the dummy DLL.
- Test 3PowerShell Verification of DLL Search Order
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe spawned with command enumerating PATH environment variable. PowerShell ScriptBlock Logging Event ID 4104 records the full script. No DLL loading events generated.
References (5)
- https://attack.mitre.org/techniques/T1574/002/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf
- https://unit42.paloaltonetworks.com/dll-hijacking-techniques/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md
- https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
Unlock Pro Content
Get the full detection package for T1574.002 including response playbook, investigation guide, and atomic red team tests.