Potential DLL Sideloading Of Non-Existent DLLs From System Folders

calendar Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.001  ·
Share on: linkedin copy

Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.

Sigma rule (View on GitHub)

 1title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders
 2id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
 3related:
 4    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule
 5      type: similar
 6    - id: 602a1f13-c640-4d73-b053-be9a2fa58b77
 7      type: obsolete
 8status: test
 9description: |
10    Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts.
11    Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.    
12references:
13    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
14    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
15    - https://decoded.avast.io/martinchlumecky/png-steganography/
16    - https://github.com/Wh04m1001/SysmonEoP
17    - https://itm4n.github.io/cdpsvc-dll-hijacking/
18    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
19    - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
20    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
21    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
22    - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
23    - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
24    - https://x.com/0gtweet/status/1564131230941122561
25author: Nasreddine Bencherchali (Nextron Systems), SBousseaden
26date: 2022-12-09
27modified: 2026-01-24
28tags:
29    - attack.persistence
30    - attack.privilege-escalation
31    - attack.execution
32    - attack.stealth
33    - attack.t1574.001
34logsource:
35    category: image_load
36    product: windows
37detection:
38    selection:
39        ImageLoaded|endswith:
40            # Add other DLLs
41            - ':\Windows\System32\axeonoffhelper.dll'
42            - ':\Windows\System32\cdpsgshims.dll'
43            - ':\Windows\System32\oci.dll'
44            - ':\Windows\System32\offdmpsvc.dll'
45            - ':\Windows\System32\shellchromeapi.dll'
46            - ':\Windows\System32\TSMSISrv.dll'
47            - ':\Windows\System32\TSVIPSrv.dll'
48            - ':\Windows\System32\wbem\wbemcomn.dll'
49            - ':\Windows\System32\WLBSCTRL.dll'
50            - ':\Windows\System32\wow64log.dll'
51            - ':\Windows\System32\WptsExtensions.dll'
52    filter_main_ms_signed:
53        Signed: 'true'
54        SignatureStatus: 'Valid'
55        # There could be other signatures (please add when found)
56        Signature: 'Microsoft Windows'
57    condition: selection and not 1 of filter_main_*
58falsepositives:
59    - Unknown
60level: high

References

Related rules

to-top