Skip to content
Threat Feed
medium advisory

Execution via Local SxS Shared Module

This rule detects the creation, modification, or deletion of DLL files within Windows SxS local folders, which could indicate an attempt to execute malicious payloads by abusing shared module loading.

This detection identifies potential abuse of the Windows Side-by-Side (SxS) feature to execute malicious code. Attackers can place a malicious DLL file within an application’s local SxS folder (application.exe.local) and trick the Windows module loader into prioritizing it over legitimate system DLLs. This technique, known as DLL hijacking or DLL redirection, allows adversaries to gain arbitrary code execution within the context of the targeted application. This technique may be used to bypass security controls, escalate privileges, or establish persistence. The detection focuses on file events related to DLLs within these specific SxS folders.

Attack Chain

  1. The attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
  2. The attacker identifies a legitimate application with an associated SxS folder (application.exe.local).
  3. The attacker creates or modifies a malicious DLL file.
  4. The attacker places the malicious DLL file in the application’s SxS folder (application.exe.local).
  5. A legitimate application attempts to load a DLL.
  6. Due to the presence of the malicious DLL in the SxS folder, the Windows module loader prioritizes the attacker’s DLL.
  7. The malicious DLL is loaded and executed by the application.
  8. The attacker achieves code execution within the context of the application.

Impact

Successful exploitation can lead to arbitrary code execution within the targeted application’s context. This can result in privilege escalation, data theft, system compromise, or the establishment of persistence mechanisms. While the number of directly affected organizations is unknown, this technique can be used against a wide range of applications on Windows systems.

Recommendation

  • Monitor file creation events for DLL files in C:\*\*.exe.local\*.dll and \\Device\\HarddiskVolume*\\*\\*.exe.local\\*.dll using the provided Sigma rule to detect potential malicious DLL planting.
  • Enable Sysmon Event ID 11 (File Create) to improve visibility into file creation events, as noted in the setup instructions.
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the DLL creation event and the involved application.

Detection coverage 2

Detect DLL Creation in Local SxS Folders

medium

Detects the creation of DLL files in application-specific local directories, which is often associated with DLL hijacking techniques.

sigma tactics: defense_evasion, execution techniques: T1574.001 sources: file_event, windows

Detect Modification of DLL in Local SxS Folders

medium

Detects the modification of existing DLL files in application-specific local directories.

sigma tactics: defense_evasion, execution techniques: T1574.001 sources: file_event, windows

Detection queries are kept inside the platform. Get full rules →