detection.wiki

Hijack Execution Flow: DLL T1574.001

Tactics: Stealth, Execution

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.

Events covered

16 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 13RegistryEvent (Value Set)
Security-AuditingEvent ID 4688A new process has been created.
Defender-DeviceImageLoadEventsanyImage load (any)
Linux-AuditdEvent ID 1302PATH
DHCP-ServerEvent ID 1031[EVENT_SERVER_CALLOUT_UNHANDLED_EXCEPTION] The installed server callout .dll file has caused an exception.
DHCP-ServerEvent ID 1032[EVENT_SERVER_CALLOUT_LOAD_EXCEPTION] The installed server callout .dll file has caused an exception. The .dll file couldn't be loaded.
DHCP-ServerEvent ID 1033[EVENT_SERVER_CALLOUT_LOAD_SUCCESS] The DHCP service has successfully loaded one or more callout DLLs.
DHCP-ServerEvent ID 1034[EVENT_SERVER_READ_ONLY_GROUP_ERROR] The DHCP service has failed to load one or more callout DLLs.
DNS-Server-ServiceEvent ID 150The DNS server could not load or initialize the plug-in DLL Name.
DNS-Server-ServiceEvent ID 770A DNS server plugin DLL has been loaded from location param1 on server param2.
DNS-Server-ServiceEvent ID 771The V1 plugin interface has been implemented in server level plugin DLL.
Security-MitigationsEvent ID 11Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the non-Microsoft-signed binary 'ImageName'.
Security-MitigationsEvent ID 12Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'.

Authoring guide

Patterns shared across the 123 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (47 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
ImageLoaded71ends_with 57, starts_with 34, contains 17, eq 7, in 5, wildcard 3*:\\windows\\system32\\*, *:\\windows\\syswow64\\*, c:\program files (x86)\, c:\program files (x86)\windows kits\, :\program files (x86)\windows kits\10\bin\
Image56ends_with 42, starts_with 15, contains 11, eq 10, in 1, is_null 1, wildcard 1\cmd.exe, \cscript.exe, \gup.exe, \mpcmdrun.exe, \nissrv.exe
Signed15eq 15true, false
EventID11eq 117, 4688
SignatureStatus11eq 8, ne 3Valid, Expired, Unavailable, unavailable, valid
TargetFilename11ends_with 5, contains 2, starts_with 2, wildcard 2, eq 1, in 1, is_not_null 1.dll, *\\programdata\\*, *\\users\\*, *\\windows\temp\\*, .bat
process_name10eq 8, in 1, ne 1explorer.exe, azureadconnectauthenticationagentservice.exe, bash.exe, cmd.exe, cscript.exe
CommandLine9contains 7, ends_with 3 c:\windows\system32\tasks\, c:\windows\syswow64\tasks\, -encodedcommand, -k, -x:0
OriginalFileName8eq 8-, cmd.exe, cscript.exe, deviceenroller.exe, dism.exe
event.type5eq 4, ne 1start, change, creation, deletion
EventType4starts_with 2, eq 1, ne 1Image loaded, A process changed a file creation time, load
ParentImage4ends_with 4, contains 2, starts_with 1\appdata\roaming\, \hpqhvind.exe, \keyscrambler.exe, \sllauncher.exe, \test.exe
dll.Ext.relative_file_creation_time4le 3, lt 1500, 3600, 86400
Description3eq 2, ends_with 1C Runtime Library, OpenJDK Platform binary, Python
Signature3eq 3Microsoft Windows, Nextron Systems GmbH, QFX Software Corporation

Top indicator values (3819 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
7
1039
ImageLoadedstarts_with
c:\windows\winsxs\
9
ImageLoadedstarts_with
c:\windows\system32\
8
ImageLoadedstarts_with
c:\windows\syswow64\
8
ImageLoadedstarts_with
c:\program files (x86)\
7
ImageLoadedstarts_with
c:\program files\
7
ImageLoadedstarts_with
c:\program files (x86)\windows kits\
3
Signedeq
true
9
Signedeq
false
69
SignatureStatuseq
Valid
4
Imageends_with
\powershell.exe
3182
Imageends_with
\pwsh.exe
3168
Imageends_with
\cmd.exe
2130
Imageends_with
\cscript.exe
273
Imageends_with
\gup.exe
25
Imageends_with
\mpcmdrun.exe
24
Imageends_with
\mshta.exe
267
Imageends_with
\nissrv.exe
22
Imageends_with
\oleview.exe
22
Imageends_with
\vmmap.exe
23
Imageends_with
\vmmap64.exe
23
Imageends_with
\vmwarexferlogs.exe
22
Imageends_with
\winword.exe
220
Imagestarts_with
c:\windows\winsxs\
3
ImageLoadedin
*:\\windows\\system32\\*
33
ImageLoadedin
*:\\windows\\syswow64\\*
33
SignatureStatusne
Valid
34
dll.Ext.relative_file_name_modify_timele
500
34
EventTypestarts_with
Image loaded
210
Imagecontains
\windows resource kit\
2

Exclusions (465 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
ImageLoadedstarts_with
c:\windows\winsxs\
9
ImageLoadedstarts_with
c:\windows\system32\
8
ImageLoadedstarts_with
c:\windows\syswow64\
8
ImageLoadedstarts_with
c:\program files (x86)\
7
ImageLoadedstarts_with
c:\program files\
7
ImageLoadedstarts_with
c:\program files (x86)\windows kits\
3
Signedeq
true
8
SignatureStatuseq
Valid
4
Imagestarts_with
c:\windows\winsxs\
3
Imagestarts_with
c:\program files (x86)\ccleaner\
2
dll.code_signature.statuswildcard
errorCode_endpoint*
3
Imagecontains
\windows resource kit\
2
Imageends_with
\wuaucltcore.exe
2
Imagein
*:\\windows\\system32\\*
2
Imagein
*:\\windows\\syswow64\\*
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 92 rules

Elastic 13 rules

Splunk 16 rules

Kusto 2 rules