Potential System DLL Sideloading From Non System Locations
This brief describes a common defense evasion technique where malicious actors bypass security controls by loading legitimate system DLLs from non-standard directories, enabling arbitrary code execution within trusted processes.
DLL sideloading is a pervasive defense evasion and execution technique utilized by malicious actors to achieve arbitrary code execution within the context of legitimate applications. This method involves placing a specially crafted or legitimate-but-misplaced DLL file in a directory that a trusted application searches before locating its intended system library. When the application launches, it inadvertently loads the attacker-controlled DLL, leading to the execution of malicious code. This technique can be employed for various purposes, including persistence, privilege escalation, and bypassing security mechanisms that trust the legitimate application. Prominent malware families such as QakBot and Dridex have been observed leveraging DLL sideloading, often utilizing common system DLLs like WindowsCodecs.dll or iphlpapi.dll. The detection rule provided herein specifically targets instances where typical Windows system DLLs, usually found in directories such as System32 or SysWOW64, are loaded from unusual or user-controlled locations, indicating potential compromise.
Impact
The successful exploitation of DLL sideloading can result in significant operational disruption and data compromise. By injecting malicious code into legitimate processes, attackers can achieve elevated privileges, establish persistent access to systems, and evade detection by security software. This provides a versatile vector for further stages of an attack, such as data exfiltration, deployment of additional malware, or complete system takeover. The consequences range from compromised individual workstations to severe network-wide breaches, depending on the initial access vector and the targeted system's role within the organization. Early detection and mitigation of DLL sideloading are critical to prevent attackers from escalating privileges or achieving their final objectives.
Recommendation
- Deploy the Sigma rule "Potential System DLL Sideloading From Non System Locations" to your Security Information and Event Management (SIEM) system and tune it for your specific environment.
- Ensure that
image_loadlogging for Windows endpoints is fully enabled to provide the necessary telemetry for the rule described in this brief. - Regularly review
image_loadevents for the specific DLLs listed in the Sigma rule that are loaded from non-standard paths, prioritizing investigation of alerts originating from critical infrastructure.
Detection coverage 1
Potential System DLL Sideloading From Non System Locations
mediumDetects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.) when loaded from non-standard paths.
Detection queries are available on the platform. Get full rules →