Creation Of Non-Existent System DLL
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
Sigma rule (View on GitHub)
1title: Creation Of Non-Existent System DLL
2id: df6ecb8b-7822-4f4b-b412-08f524b4576c
3related:
4 - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
5 type: similar
6status: test
7description: |
8 Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
9 Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
10 Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
11references:
12 - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
13 - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
14 - https://decoded.avast.io/martinchlumecky/png-steganography/
15 - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
16 - https://github.com/Wh04m1001/SysmonEoP
17 - https://itm4n.github.io/cdpsvc-dll-hijacking/
18 - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
19 - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
20 - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
21 - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
22 - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
23 - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
24 - https://x.com/0gtweet/status/1564131230941122561
25author: Nasreddine Bencherchali (Nextron Systems), fornotes
26date: 2022-12-01
27modified: 2026-01-24
28tags:
29 - attack.defense-evasion
30 - attack.persistence
31 - attack.privilege-escalation
32 - attack.t1574.001
33logsource:
34 product: windows
35 category: file_event
36detection:
37 selection:
38 TargetFilename|endswith:
39 - ':\Windows\System32\axeonoffhelper.dll'
40 - ':\Windows\System32\cdpsgshims.dll'
41 - ':\Windows\System32\oci.dll'
42 - ':\Windows\System32\offdmpsvc.dll'
43 - ':\Windows\System32\shellchromeapi.dll'
44 - ':\Windows\System32\TSMSISrv.dll'
45 - ':\Windows\System32\TSVIPSrv.dll'
46 - ':\Windows\System32\wbem\wbemcomn.dll'
47 - ':\Windows\System32\WLBSCTRL.dll'
48 - ':\Windows\System32\wow64log.dll'
49 - ':\Windows\System32\WptsExtensions.dll'
50 - '\SprintCSP.dll'
51 condition: selection
52falsepositives:
53 - Unknown
54level: medium
55regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml
References
-
Abstract I was recently busy doing some reverse on an antivirus solution. During this review, I figured out the Windows 10 Task Schedul...
Read More -
DLL injection in McAfee Agent allowing a local administrator to kill the antivirus, or tamper with it, without knowing the McAfee passwordThe macompatsvc.exe...
Read More -
-
Collection of PoC and offensive techniques used by the BlackArrow Red Team - blackarrowsec/redteam-research
Read More -
-
A DLL hijacking “vulnerability” in the CDPSvc service was reported to Microsoft at least two times this year. As per their policy though, DLL planting issues that fall into the category of PATH directories DLL planting are treated as won’t fix , which means that it won’t be addressed (at least in the near future). This case is very similar to the IKEEXT one in Windows Vista/7/8. The big difference is that CDPSvc runs as LOCAL SERVICE instead of SYSTEM so getting higher privileges requires an extra step.
Read More -
-
Kaspersky GReAT experts break down a recent PassiveNeuron campaign that targets servers worldwide with custom Neursite and NeuralExecutor APT implants and Cobalt Strike.
Read More -
Learn about four DLL hijacking techniques observed in the wild, and how CrowdStrike's Falcon OverWatch threat hunters can quickly and accurately identify these attempts.
Read More -
Time for the 5th part. Today it’s about the Phantom DLLs Hijacking (do not confuse it with ‘DLL Search Order Hijacking’ where order in which paths are searched for is abused). Windows is a huge ope...
Read More -
Similarly as in the previous case, wermgr.exe accepts many command line arguments: -boot -clean -datacollectorcreate -nonelevated -outproc -purgestores -queuereporting -queuereporting_svc -queuerep...
Read More -
Today I have discovered the PipelineFilterHook Registry entry only to find out that this blog post has already described it in detail. Nice work! So, I decided to take a look at my favorite phantom...
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Registry Modification for OCI DLL Redirection
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- Potential System DLL Sideloading From Non System Locations
- Use Of Hidden Paths Or Files