Dll-Side-Loading

This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.

The loading of an untrusted DLL by the Azure AD Connect Authentication Agent, potentially indicating credential access attempts via the Pass-through Authentication service, is detected by this rule.