https://feed.craftedsignal.io/tags/dll-side-loading/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 14:17:05 +0000https://feed.craftedsignal.io/briefs/2026-05-dll-side-loading/Mon, 04 May 2026 14:17:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-dll-side-loading/This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.This detection rule identifies instances of Windows trusted programs such as WinWord.exe, EXPLORER.EXE, w3wp.exe, and DISM.EXE executing from unusual paths or after being renamed, which may indicate DLL side-loading. DLL side-loading is a defense evasion technique where a malicious DLL is placed in the same directory as a legitimate executable. When the executable runs, it may load the malicious DLL instead of the legitimate one, allowing the attacker to execute arbitrary code within the context of the trusted process. The detection logic focuses on process executions that deviate from standard installation paths. The targeted processes are commonly used and often whitelisted, making this a potent technique for adversaries to bypass security controls.

Attack Chain

1. The attacker gains initial access to the system (e.g., through phishing or exploitation of a vulnerability).
2. The attacker identifies a trusted Windows program vulnerable to DLL side-loading (WinWord.exe, EXPLORER.EXE, w3wp.exe, or DISM.EXE).
3. The attacker drops a malicious DLL into a directory where the trusted program is expected to load DLLs from, often alongside a renamed or copied version of the legitimate executable.
4. Alternatively, the attacker renames the trusted program and places it in a non-standard path.
5. The attacker executes the renamed or moved trusted program from the non-standard path.
6. The trusted program loads the malicious DLL due to DLL search order hijacking.
7. The malicious DLL executes arbitrary code within the context of the trusted process.
8. The attacker achieves persistence, elevates privileges, or performs other malicious activities, potentially evading detection due to the trusted process context.

Impact

A successful DLL side-loading attack allows the attacker to execute arbitrary code within the context of a trusted Microsoft process. This can lead to privilege escalation, persistence, and further compromise of the system. Since the malicious code is running within a trusted process, it can bypass application whitelisting and other security controls, making it difficult to detect. This can lead to data theft, system disruption, or the installation of malware.

Recommendation

• Deploy the Sigma rule “Potential DLL Side-Loading via Trusted Microsoft Programs” to your SIEM to detect suspicious executions of trusted programs from non-standard paths or with modifications.
• Enable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rule to function correctly.
• Review and tune the exclusion paths in the Sigma rule to avoid false positives from legitimate software updates, custom enterprise applications, or virtual environments.
• Monitor process execution paths using the Sigma rule “Potential DLL Side-Loading via Trusted Microsoft Programs” and investigate any deviations from standard installation paths.

]]>mediumadvisorydefense-evasionexecutiondll-side-loadingwindowshttps://feed.craftedsignal.io/briefs/2024-11-azureadconnect-dll-load/Sat, 02 Nov 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-11-azureadconnect-dll-load/The loading of an untrusted DLL by the Azure AD Connect Authentication Agent, potentially indicating credential access attempts via the Pass-through Authentication service, is detected by this rule.The Azure AD Connect Authentication Agent facilitates pass-through authentication (PTA) in hybrid environments. Attackers may attempt to load malicious DLLs into the AzureADConnectAuthenticationAgentService.exe process to intercept or persist credentials. This involves placing an untrusted DLL in a location where the service will load it, such as a directory with weak permissions or through DLL side-loading. Successful exploitation allows attackers to capture user credentials as they are processed by the PTA service, potentially leading to domain compromise. This activity specifically targets systems utilizing Azure AD Connect with PTA enabled. Defenders should monitor for unexpected DLL loads by the Azure AD Connect Authentication Agent to identify and prevent credential access attempts.

Attack Chain

1. An attacker gains initial access to a system hosting the Azure AD Connect Authentication Agent.
2. The attacker identifies a location where they can place a malicious DLL that the AzureADConnectAuthenticationAgentService.exe process will load, such as a directory with weak permissions or a location susceptible to DLL side-loading.
3. The attacker places a malicious DLL (e.g., evil.dll) into the identified location.
4. The AzureADConnectAuthenticationAgentService.exe process is started or restarted.
5. The AzureADConnectAuthenticationAgentService.exe process loads the malicious DLL (evil.dll).
6. The malicious DLL intercepts or captures credentials as they are processed by the PTA service.
7. The attacker exfiltrates the captured credentials.
8. The attacker uses the stolen credentials to gain unauthorized access to other systems or resources.

Impact

Successful exploitation allows attackers to intercept credentials handled by the Azure AD Connect Authentication Agent. This can lead to the compromise of user accounts and the ability to move laterally within the environment. Organizations using Azure AD Connect with Pass-through Authentication are at risk. The impact includes potential data breaches, unauthorized access to sensitive information, and domain compromise.

Recommendation

• Implement the Sigma rule Untrusted DLL Loaded by Azure AD Connect Authentication Agent to detect the loading of untrusted DLLs by the Azure AD Connect Authentication Agent service in your environment.
• Monitor process creation events for AzureADConnectAuthenticationAgentService.exe loading DLLs outside of the standard Microsoft directories, as defined in the Sigma rule.
• Enable Sysmon Event ID 7 (Image Loaded) logging to provide the necessary data for the Sigma rule to function effectively.
• Restrict write access to the Azure AD Connect Authentication Agent directories to prevent unauthorized DLL placement.
• Review administrative access to the PTA host to prevent unauthorized modifications.

]]>highadvisorycredential-accessdll-side-loadingazure-ad-connect