Unsigned DLL Loaded by Windows Utility
Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.
Sigma rule (View on GitHub)
1title: Unsigned DLL Loaded by Windows Utility
2id: b5de0c9a-6f19-43e0-af4e-55ad01f550af
3status: test
4description: |
5 Detects windows utilities loading an unsigned or untrusted DLL.
6 Adversaries often abuse those programs to proxy execution of malicious code.
7references:
8 - https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion
9 - https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
10 - https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
11author: Swachchhanda Shrawan Poudel
12date: 2024-02-28
13modified: 2025-10-07
14tags:
15 - attack.t1218.011
16 - attack.t1218.010
17 - attack.defense-evasion
18logsource:
19 product: windows
20 category: image_load
21detection:
22 selection:
23 Image|endswith:
24 # Note: Add additional utilities that allow the loading of DLLs
25 - '\InstallUtil.exe'
26 - '\RegAsm.exe'
27 - '\RegSvcs.exe'
28 - '\regsvr32.exe'
29 - '\rundll32.exe'
30 filter_main_signed:
31 Signed: 'true'
32 filter_main_sig_status:
33 SignatureStatus:
34 - 'errorChaining'
35 - 'errorCode_endpoint'
36 - 'errorExpired'
37 - 'trusted'
38 - 'Valid'
39 filter_main_signed_null:
40 Signed: null
41 filter_main_signed_empty:
42 Signed:
43 - ''
44 - '-'
45 filter_main_sig_status_null:
46 SignatureStatus: null
47 filter_main_sig_status_empty:
48 SignatureStatus:
49 - ''
50 - '-'
51 filter_main_windows_installer:
52 Image:
53 - 'C:\Windows\SysWOW64\rundll32.exe'
54 - 'C:\Windows\System32\rundll32.exe'
55 ImageLoaded|startswith: 'C:\Windows\Installer\'
56 ImageLoaded|endswith:
57 - '.tmp-\Microsoft.Deployment.WindowsInstaller.dll'
58 - '.tmp-\Avira.OE.Setup.CustomActions.dll'
59 filter_main_assembly:
60 Image|startswith:
61 - 'C:\Windows\SysWOW64\'
62 - 'C:\Windows\System32\'
63 - 'C:\Windows\Microsoft.NET\Framework64'
64 Image|endswith: '\RegAsm.exe'
65 ImageLoaded|endswith: '.dll'
66 ImageLoaded|startswith: 'C:\Windows\assembly\NativeImages'
67 filter_optional_klite_codec:
68 Image:
69 - 'C:\Windows\SysWOW64\regsvr32.exe'
70 - 'C:\Windows\System32\regsvr32.exe'
71 ImageLoaded|startswith:
72 - 'C:\Program Files (x86)\K-Lite Codec Pack\'
73 - 'C:\Program Files\K-Lite Codec Pack\'
74 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
75falsepositives:
76 - Unknown
77level: medium
References
-
Learn more about discovering threats by hunting through DLL load events, one way to reveal the presence of known and unknown malware in noisy process event data.
Read More -
Hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in your environment. Our examples include well-known APTs.
Read More
Related rules
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- Suspicious ShellExec_RunDLL Call Via Ordinal
- Regsvr32 DLL Execution With Suspicious File Extension
- Potential Regsvr32 Commandline Flag Anomaly