Potential DLL Sideloading Of Non-Existent DLLs From System Folders
Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders
2id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
3related:
4 - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule
5 type: similar
6 - id: 602a1f13-c640-4d73-b053-be9a2fa58b77
7 type: obsolete
8status: test
9description: |
10 Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts.
11 Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
12references:
13 - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
14 - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
15 - https://decoded.avast.io/martinchlumecky/png-steganography/
16 - https://github.com/Wh04m1001/SysmonEoP
17 - https://itm4n.github.io/cdpsvc-dll-hijacking/
18 - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
19 - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
20 - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
21 - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
22 - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
23 - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
24 - https://x.com/0gtweet/status/1564131230941122561
25author: Nasreddine Bencherchali (Nextron Systems), SBousseaden
26date: 2022-12-09
27modified: 2026-01-24
28tags:
29 - attack.defense-evasion
30 - attack.persistence
31 - attack.privilege-escalation
32 - attack.t1574.001
33logsource:
34 category: image_load
35 product: windows
36detection:
37 selection:
38 ImageLoaded|endswith:
39 # Add other DLLs
40 - ':\Windows\System32\axeonoffhelper.dll'
41 - ':\Windows\System32\cdpsgshims.dll'
42 - ':\Windows\System32\oci.dll'
43 - ':\Windows\System32\offdmpsvc.dll'
44 - ':\Windows\System32\shellchromeapi.dll'
45 - ':\Windows\System32\TSMSISrv.dll'
46 - ':\Windows\System32\TSVIPSrv.dll'
47 - ':\Windows\System32\wbem\wbemcomn.dll'
48 - ':\Windows\System32\WLBSCTRL.dll'
49 - ':\Windows\System32\wow64log.dll'
50 - ':\Windows\System32\WptsExtensions.dll'
51 filter_main_ms_signed:
52 Signed: 'true'
53 SignatureStatus: 'Valid'
54 # There could be other signatures (please add when found)
55 Signature: 'Microsoft Windows'
56 condition: selection and not 1 of filter_main_*
57falsepositives:
58 - Unknown
59level: high
References
-
Abstract I was recently busy doing some reverse on an antivirus solution. During this review, I figured out the Windows 10 Task Schedul...
Read More -
DLL injection in McAfee Agent allowing a local administrator to kill the antivirus, or tamper with it, without knowing the McAfee passwordThe macompatsvc.exe...
Read More -
-
-
A DLL hijacking “vulnerability” in the CDPSvc service was reported to Microsoft at least two times this year. As per their policy though, DLL planting issues that fall into the category of PATH directories DLL planting are treated as won’t fix , which means that it won’t be addressed (at least in the near future). This case is very similar to the IKEEXT one in Windows Vista/7/8. The big difference is that CDPSvc runs as LOCAL SERVICE instead of SYSTEM so getting higher privileges requires an extra step.
Read More -
-
Kaspersky GReAT experts break down a recent PassiveNeuron campaign that targets servers worldwide with custom Neursite and NeuralExecutor APT implants and Cobalt Strike.
Read More -
Learn about four DLL hijacking techniques observed in the wild, and how CrowdStrike's Falcon OverWatch threat hunters can quickly and accurately identify these attempts.
Read More -
Time for the 5th part. Today it’s about the Phantom DLLs Hijacking (do not confuse it with ‘DLL Search Order Hijacking’ where order in which paths are searched for is abused). Windows is a huge ope...
Read More -
Similarly as in the previous case, wermgr.exe accepts many command line arguments: -boot -clean -datacollectorcreate -nonelevated -outproc -purgestores -queuereporting -queuereporting_svc -queuerep...
Read More -
Today I have discovered the PipelineFilterHook Registry entry only to find out that this blog post has already described it in detail. Nice work! So, I decided to take a look at my favorite phantom...
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Creation Of Non-Existent System DLL
- Registry Modification for OCI DLL Redirection
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- Potential System DLL Sideloading From Non System Locations
- Use Of Hidden Paths Or Files