Unsigned DLL Loaded by Windows Utility

 1title: Unsigned DLL Loaded by Windows Utility
 2id: b5de0c9a-6f19-43e0-af4e-55ad01f550af
 3status: test
 4description: |
 5    Detects windows utilities loading an unsigned or untrusted DLL.
 6    Adversaries often abuse those programs to proxy execution of malicious code.    
 7references:
 8    - https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion
 9    - https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
10    - https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
11author: Swachchhanda Shrawan Poudel
12date: 2024-02-28
13modified: 2025-07-15
14tags:
15    - attack.t1218.011
16    - attack.t1218.010
17    - attack.defense-evasion
18logsource:
19    product: windows
20    category: image_load
21detection:
22    selection:
23        Image|endswith:
24            # Note: Add additional utilities that allow the loading of DLLs
25            - '\InstallUtil.exe'
26            - '\RegAsm.exe'
27            - '\RegSvcs.exe'
28            - '\regsvr32.exe'
29            - '\rundll32.exe'
30    filter_main_signed:
31        Signed: 'true'
32    filter_main_sig_status:
33        SignatureStatus:
34            - 'errorChaining'
35            - 'errorCode_endpoint'
36            - 'errorExpired'
37            - 'trusted'
38            - 'Valid'
39    filter_main_signed_null:
40        Signed: null
41    filter_main_signed_empty:
42        Signed:
43            - ''
44            - '-'
45    filter_main_sig_status_null:
46        SignatureStatus: null
47    filter_main_sig_status_empty:
48        SignatureStatus:
49            - ''
50            - '-'
51    condition: selection and not 1 of filter_main_*
52falsepositives:
53    - Unknown
54level: medium

References

• Hunting for Suspicious Windows Libraries for Execution and Defense Evasion — Elastic Security Labs

  

  Learn more about discovering threats by hunting through DLL load events, one way to reveal the presence of known and unknown malware in noisy process event data.

  
  Read More

• https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql

  
  Read More

• Hunting for Unsigned DLLs to Find APTs

  

  Hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in your environment. Our examples include well-known APTs.

  
  Read More

Related rules

• HTML Help HH.EXE Suspicious Child Process
• Suspicious HH.EXE Execution
• Bad Opsec Defaults Sacrificial Processes With Improper Arguments
• Potentially Suspicious Rundll32.EXE Execution of UDL File
• Rundll32 UNC Path Execution