T1574.002 Sumo Logic CSE · Sumo

Detect DLL Side-Loading in Sumo Logic CSE

Adversaries execute malicious payloads by placing a malicious DLL alongside a legitimate, often digitally-signed, application and then invoking that application. Unlike passive DLL search order hijacking (which waits for a victim to run an application), DLL side-loading is active: the adversary both plants the DLL and triggers the legitimate executable. This allows malicious code to run under the cover of a trusted process signature. Common victim executables include security tools, game clients, and enterprise software (e.g., VMware, Symantec, LogMeIn). Widely used by APT groups including MuddyWater, Mustang Panda/TONESHELL, Cobalt Strike operators, and numerous others.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Canonical reference
https://attack.mitre.org/techniques/T1574/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*" OR _sourceCategory="WinEvents/Sysmon")
| where EventID = "7"
| parse field=Message "Image: *\n" as loading_process nodrop
| parse field=Message "ImageLoaded: *\n" as dll_path nodrop
| parse field=Message "Signed: *\n" as signed nodrop
| parse field=Message "SignatureStatus: *\n" as signature_status nodrop
| parse field=Message "Hashes: *\n" as hashes nodrop
| parse field=Message "User: *\n" as user nodrop
| where (signed = "false" or isnull(signed) or signature_status != "Valid")
| where (
    dll_path matches "*\\AppData\\*"
    OR dll_path matches "*\\Temp\\*"
    OR dll_path matches "*\\ProgramData\\*"
    OR dll_path matches "*\\Users\\Public\\*"
    OR dll_path matches "*\\Downloads\\*"
  )
| eval loading_process_lower = toLowerCase(loading_process)
| eval severity = if(
    loading_process_lower matches "*(symantec|norton|vmware|logmein|teamviewer|anydesk|cisco|adobe|microsoft)*",
    "HIGH", "MEDIUM"
  )
| count as load_count by _sourceHost, user, loading_process, dll_path, signed, hashes, severity
| sort by load_count desc
high severity medium confidence

Detects DLL side-loading by analyzing Sysmon Event ID 7 (Image Loaded) events ingested into Sumo Logic. Parses message fields to identify unsigned DLLs loaded from suspicious writable paths by trusted vendor processes, with severity escalation for known side-loading targets.

Data Sources

Sysmon operational logs via Sumo Logic Windows agentWindows Event Log collector for Sysmon/Operational channel

Required Tables

Sysmon Event ID 7 (ImageLoaded) logs

False Positives & Tuning

  • Trusted enterprise applications like Oracle JRE or SAP that extract and load unsigned JNI/helper DLLs into user-specific AppData directories as part of normal startup.
  • Game clients (Steam, Epic Games Launcher) that load unsigned DLLs from local AppData paths during game updates or anti-cheat initialization.
  • Custom in-house enterprise applications built without code signing that are loaded alongside signed Microsoft or third-party runtime hosts.
Download portable Sigma rule (.yml)

Other platforms for T1574.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DLL Side-Loading via Renamed Legitimate Binary

    Expected signal: Sysmon Event ID 11 (FileCreate): Both csc.exe and clrjit.dll created in same TEMP subdirectory within short timeframe. Sysmon Event ID 7 (ImageLoad): if csc.exe is executed, clrjit.dll would be loaded from the local directory first. DeviceFileEvents shows EXE+DLL creation in same writable path.

  2. Test 2Abusing VMware Binary for Side-Loading (Simulation)

    Expected signal: Sysmon Event ID 11 (FileCreate): DLL created in user-writable TEMP location. DeviceFileEvents captures file creation event with SHA256 hash of the dummy DLL.

  3. Test 3PowerShell Verification of DLL Search Order

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe spawned with command enumerating PATH environment variable. PowerShell ScriptBlock Logging Event ID 4104 records the full script. No DLL loading events generated.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1574.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.001DLLT1036.005Match Legitimate Resource Name or LocationT1055Process InjectionT1105Ingress Tool TransferT1566PhishingT1204.002Malicious FileT1070.006Timestomp

Same Tactic: Persistence

Popular Detections