Creation Of Non-Existent System DLL

calendar Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.001  ·
Share on: linkedin copy

Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.

Sigma rule (View on GitHub)

 1title: Creation Of Non-Existent System DLL
 2id: df6ecb8b-7822-4f4b-b412-08f524b4576c
 3related:
 4    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
 5      type: similar
 6status: test
 7description: |
 8    Detects creation of specific system DLL files that are  usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
 9    Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
10    Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.    
11references:
12    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
13    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
14    - https://decoded.avast.io/martinchlumecky/png-steganography/
15    - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
16    - https://github.com/Wh04m1001/SysmonEoP
17    - https://itm4n.github.io/cdpsvc-dll-hijacking/
18    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
19    - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
20    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
21    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
22    - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
23    - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
24    - https://x.com/0gtweet/status/1564131230941122561
25author: Nasreddine Bencherchali (Nextron Systems), fornotes
26date: 2022-12-01
27modified: 2026-01-24
28tags:
29    - attack.persistence
30    - attack.privilege-escalation
31    - attack.execution
32    - attack.stealth
33    - attack.t1574.001
34logsource:
35    product: windows
36    category: file_event
37detection:
38    selection:
39        TargetFilename|endswith:
40            - ':\Windows\System32\axeonoffhelper.dll'
41            - ':\Windows\System32\cdpsgshims.dll'
42            - ':\Windows\System32\oci.dll'
43            - ':\Windows\System32\offdmpsvc.dll'
44            - ':\Windows\System32\shellchromeapi.dll'
45            - ':\Windows\System32\TSMSISrv.dll'
46            - ':\Windows\System32\TSVIPSrv.dll'
47            - ':\Windows\System32\wbem\wbemcomn.dll'
48            - ':\Windows\System32\WLBSCTRL.dll'
49            - ':\Windows\System32\wow64log.dll'
50            - ':\Windows\System32\WptsExtensions.dll'
51            - '\SprintCSP.dll'
52    condition: selection
53falsepositives:
54    - Unknown
55level: medium
56regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml

References

Related rules

to-top