Potential Initial Access via DLL Search Order Hijacking

calendar Apr 28, 2026 · attack.privilege-escalation attack.persistence attack.execution attack.stealth attack.t1566 attack.t1566.001 attack.initial-access attack.t1574 attack.t1574.001  ·
Share on: linkedin copy

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Sigma rule (View on GitHub)

 1title: Potential Initial Access via DLL Search Order Hijacking
 2id: dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
 3status: test
 4description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
 5references:
 6    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc
 7    - https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
 8author: Tim Rauch (rule), Elastic (idea)
 9date: 2022-10-21
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.execution
14    - attack.stealth
15    - attack.t1566
16    - attack.t1566.001
17    - attack.initial-access
18    - attack.t1574
19    - attack.t1574.001
20logsource:
21    product: windows
22    category: file_event
23detection:
24    selection:
25        Image|endswith:
26            # add more processes when you find them
27            - '\winword.exe'
28            - '\excel.exe'
29            - '\powerpnt.exe'
30            - '\MSACCESS.EXE'
31            - '\MSPUB.EXE'
32            - '\fltldr.exe'
33            - '\cmd.exe'
34            - '\certutil.exe'
35            - '\mshta.exe'
36            - '\cscript.exe'
37            - '\wscript.exe'
38            - '\curl.exe'
39            - '\powershell.exe'
40            - '\pwsh.exe'
41        TargetFilename|endswith: '.dll'
42        TargetFilename|contains|all:
43            - '\Users\'
44            - '\AppData\'
45        TargetFilename|contains:
46            # add more suspicious paths when you find them
47            - '\Microsoft\OneDrive\'
48            - '\Microsoft OneDrive\'
49            - '\Microsoft\Teams\'
50            - '\Local\slack\app-'
51            - '\Local\Programs\Microsoft VS Code\'
52    filter:
53        Image|endswith: '\cmd.exe'
54        TargetFilename|contains|all:
55            - '\Users\'
56            - '\AppData\'
57            - '\Microsoft\OneDrive\'
58            - '\api-ms-win-core-'
59    condition: selection and not filter
60falsepositives:
61    - Unknown
62level: medium

References

Related rules

to-top