Execution via local SxS Shared Module
Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/28"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2025/08/26"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse
11shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local
12paths.
13"""
14from = "now-9m"
15index = [
16 "winlogbeat-*",
17 "logs-endpoint.events.file-*",
18 "logs-windows.sysmon_operational-*",
19 "endgame-*",
20 "logs-m365_defender.event-*",
21 "logs-sentinel_one_cloud_funnel.*",
22 "logs-crowdstrike.fdr*",
23]
24language = "eql"
25license = "Elastic License v2"
26name = "Execution via local SxS Shared Module"
27note = """## Triage and analysis
28
29The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.
30"""
31references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"]
32risk_score = 47
33rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75"
34severity = "medium"
35tags = [
36 "Domain: Endpoint",
37 "OS: Windows",
38 "Use Case: Threat Detection",
39 "Tactic: Execution",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42 "Data Source: Sysmon",
43 "Data Source: Microsoft Defender for Endpoint",
44 "Data Source: SentinelOne",
45 "Data Source: Crowdstrike",
46 "Resources: Investigation Guide",
47]
48timestamp_override = "event.ingested"
49type = "eql"
50
51query = '''
52file where host.os.type == "windows" and file.extension : "dll" and
53 file.path : (
54 "C:\\*\\*.exe.local\\*.dll",
55 /* Crowdstrike specific condition as it uses NT Object paths */
56 "\\Device\\HarddiskVolume*\\*\\*.exe.local\\*.dll"
57 )
58'''
59
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1129"
65name = "Shared Modules"
66reference = "https://attack.mitre.org/techniques/T1129/"
67
68
69[rule.threat.tactic]
70id = "TA0002"
71name = "Execution"
72reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.
References
Related rules
- Suspicious Windows Powershell Arguments
- Suspicious Execution from a WebDav Share
- Suspicious Execution with NodeJS
- Windows Script Execution from Archive
- Execution of COM object via Xwizard