{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/explorer.exe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["WinWord.exe","EXPLORER.EXE","w3wp.exe","DISM.EXE","Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","dll-side-loading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies instances of Windows trusted programs such as WinWord.exe, EXPLORER.EXE, w3wp.exe, and DISM.EXE executing from unusual paths or after being renamed, which may indicate DLL side-loading. DLL side-loading is a defense evasion technique where a malicious DLL is placed in the same directory as a legitimate executable. When the executable runs, it may load the malicious DLL instead of the legitimate one, allowing the attacker to execute arbitrary code within the context of the trusted process. The detection logic focuses on process executions that deviate from standard installation paths. The targeted processes are commonly used and often whitelisted, making this a potent technique for adversaries to bypass security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a trusted Windows program vulnerable to DLL side-loading (WinWord.exe, EXPLORER.EXE, w3wp.exe, or DISM.EXE).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL into a directory where the trusted program is expected to load DLLs from, often alongside a renamed or copied version of the legitimate executable.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker renames the trusted program and places it in a non-standard path.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed or moved trusted program from the non-standard path.\u003c/li\u003e\n\u003cli\u003eThe trusted program loads the malicious DLL due to DLL search order hijacking.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the trusted process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, elevates privileges, or performs other malicious activities, potentially evading detection due to the trusted process context.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DLL side-loading attack allows the attacker to execute arbitrary code within the context of a trusted Microsoft process. This can lead to privilege escalation, persistence, and further compromise of the system. Since the malicious code is running within a trusted process, it can bypass application whitelisting and other security controls, making it difficult to detect. This can lead to data theft, system disruption, or the installation of malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential DLL Side-Loading via Trusted Microsoft Programs\u0026rdquo; to your SIEM to detect suspicious executions of trusted programs from non-standard paths or with modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and tune the exclusion paths in the Sigma rule to avoid false positives from legitimate software updates, custom enterprise applications, or virtual environments.\u003c/li\u003e\n\u003cli\u003eMonitor process execution paths using the Sigma rule \u0026ldquo;Potential DLL Side-Loading via Trusted Microsoft Programs\u0026rdquo; and investigate any deviations from standard installation paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-dll-side-loading/","summary":"This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.","title":"Potential DLL Side-Loading via Trusted Microsoft Programs","url":"https://feed.craftedsignal.io/briefs/2026-05-dll-side-loading/"}],"language":"en","title":"CraftedSignal Threat Feed — EXPLORER.EXE","version":"https://jsonfeed.org/version/1.1"}