Execution via local SxS Shared Module

  1[metadata]
  2creation_date = "2020/10/28"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse
 11shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local
 12paths.
 13"""
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.file-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20    "logs-m365_defender.event-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22    "logs-crowdstrike.fdr*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Execution via local SxS Shared Module"
 27note = """## Triage and analysis
 28
 29The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.
 30"""
 31
 32setup = """## Setup
 33
 34This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 35
 36Setup instructions: https://ela.st/install-elastic-defend
 37
 38### Additional data sources
 39
 40This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 41
 42- [CrowdStrike](https://ela.st/crowdstrike-integration)
 43- [Microsoft Defender XDR](https://ela.st/m365-defender)
 44- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
 45- [Sysmon Event ID 11 - File Create](https://ela.st/sysmon-event-11-setup)
 46"""
 47
 48references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"]
 49risk_score = 47
 50rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75"
 51severity = "medium"
 52tags = [
 53    "Domain: Endpoint",
 54    "OS: Windows",
 55    "Use Case: Threat Detection",
 56    "Tactic: Execution",
 57    "Data Source: Elastic Endgame",
 58    "Data Source: Elastic Defend",
 59    "Data Source: Sysmon",
 60    "Data Source: Microsoft Defender XDR",
 61    "Data Source: SentinelOne",
 62    "Data Source: Crowdstrike",
 63    "Resources: Investigation Guide",
 64]
 65timestamp_override = "event.ingested"
 66type = "eql"
 67
 68query = '''
 69file where host.os.type == "windows" and file.extension : "dll" and
 70  file.path : (
 71    "C:\\*\\*.exe.local\\*.dll",
 72    /* Crowdstrike specific condition as it uses NT Object paths */
 73    "\\Device\\HarddiskVolume*\\*\\*.exe.local\\*.dll"
 74  )
 75'''
 76
 77
 78[[rule.threat]]
 79framework = "MITRE ATT&CK"
 80
 81[[rule.threat.technique]]
 82id = "T1129"
 83name = "Shared Modules"
 84reference = "https://attack.mitre.org/techniques/T1129/"
 85
 86[rule.threat.tactic]
 87id = "TA0002"
 88name = "Execution"
 89reference = "https://attack.mitre.org/tactics/TA0002/"
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93
 94[[rule.threat.technique]]
 95id = "T1574"
 96name = "Hijack Execution Flow"
 97reference = "https://attack.mitre.org/techniques/T1574/"
 98
 99[[rule.threat.technique.subtechnique]]
100id = "T1574.001"
101name = "DLL"
102reference = "https://attack.mitre.org/techniques/T1574/001/"
103
104[rule.threat.tactic]
105id = "TA0005"
106name = "Defense Evasion"
107reference = "https://attack.mitre.org/tactics/TA0005/"