Execution via local SxS Shared Module

calendar Mar 26, 2025 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne Resources: Investigation Guide  ·
Share on: linkedin copy

Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/28"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2025/03/20"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse
11shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local
12paths.
13"""
14from = "now-9m"
15index = [
16    "winlogbeat-*",
17    "logs-endpoint.events.file-*",
18    "logs-windows.sysmon_operational-*",
19    "endgame-*",
20    "logs-m365_defender.event-*",
21    "logs-sentinel_one_cloud_funnel.*",
22]
23language = "eql"
24license = "Elastic License v2"
25name = "Execution via local SxS Shared Module"
26note = """## Triage and analysis
27
28The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.
29"""
30references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"]
31risk_score = 47
32rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75"
33severity = "medium"
34tags = [
35    "Domain: Endpoint",
36    "OS: Windows",
37    "Use Case: Threat Detection",
38    "Tactic: Execution",
39    "Data Source: Elastic Endgame",
40    "Data Source: Elastic Defend",
41    "Data Source: Sysmon",
42    "Data Source: Microsoft Defender for Endpoint",
43    "Data Source: SentinelOne",
44    "Resources: Investigation Guide",
45]
46timestamp_override = "event.ingested"
47type = "eql"
48
49query = '''
50file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll"
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1129"
58name = "Shared Modules"
59reference = "https://attack.mitre.org/techniques/T1129/"
60
61
62[rule.threat.tactic]
63id = "TA0002"
64name = "Execution"
65reference = "https://attack.mitre.org/tactics/TA0002/"
...
toml

The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.

References

  • Dynamic-link library redirection - Win32 apps

    If your application depends on a specific version of a shared DLL, and another application is installed with a newer or older version of that DLL, then that can cause a problem; it can cause your app to start to fail. Another use case for DLL redirection is to load a private build of a DLL.


    Read More

Related rules

to-top