title: DLL Side-Loading (T1574.002)
id: df00tech-t1574-002
status: experimental
description: "Adversaries execute malicious payloads by placing a malicious DLL alongside a legitimate, often digitally-signed, application and then invoking that application. Unlike passive DLL search order hijacking (which waits for a victim to run an application), DLL side-loading is active: the adversary both plants the DLL and triggers the legitimate executable. This allows malicious code to run under the cover of a trusted process signature. Common victim executables include security tools, game clients, and enterprise software (e.g., VMware, Symantec, LogMeIn). Widely used by APT groups including MuddyWater, Mustang Panda/TONESHELL, Cobalt Strike operators, and numerous others."
references:
  - https://attack.mitre.org/techniques/T1574/002/
  - https://df00tech.com/detections/T1574.002
author: df00tech
date: 2026/04/21
tags:
  - attack.t1574.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Electron-based applications (Teams, Slack, VS Code) that bundle their own unsigned DLLs in AppData"
  - Game launchers that use custom DLLs loaded from game installation directories in Program Files
  - Development environments that load debug DLLs from build output directories
  - Some enterprise software installers that extract and load DLLs from TEMP during installation
level: high