Unsigned DLL Loaded by Windows Utility

calendar Apr 28, 2026 · attack.stealth attack.t1218.011 attack.t1218.010  ·
Share on: linkedin copy

Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.

Sigma rule (View on GitHub)

 1title: Unsigned DLL Loaded by Windows Utility
 2id: b5de0c9a-6f19-43e0-af4e-55ad01f550af
 3status: test
 4description: |
 5    Detects windows utilities loading an unsigned or untrusted DLL.
 6    Adversaries often abuse those programs to proxy execution of malicious code.    
 7references:
 8    - https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion
 9    - https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
10    - https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
11author: Swachchhanda Shrawan Poudel
12date: 2024-02-28
13modified: 2025-10-07
14tags:
15    - attack.stealth
16    - attack.t1218.011
17    - attack.t1218.010
18logsource:
19    product: windows
20    category: image_load
21detection:
22    selection:
23        Image|endswith:
24            # Note: Add additional utilities that allow the loading of DLLs
25            - '\InstallUtil.exe'
26            - '\RegAsm.exe'
27            - '\RegSvcs.exe'
28            - '\regsvr32.exe'
29            - '\rundll32.exe'
30    filter_main_signed:
31        Signed: 'true'
32    filter_main_sig_status:
33        SignatureStatus:
34            - 'errorChaining'
35            - 'errorCode_endpoint'
36            - 'errorExpired'
37            - 'trusted'
38            - 'Valid'
39    filter_main_signed_null:
40        Signed: null
41    filter_main_signed_empty:
42        Signed:
43            - ''
44            - '-'
45    filter_main_sig_status_null:
46        SignatureStatus: null
47    filter_main_sig_status_empty:
48        SignatureStatus:
49            - ''
50            - '-'
51    filter_main_windows_installer:
52        Image:
53            - 'C:\Windows\SysWOW64\rundll32.exe'
54            - 'C:\Windows\System32\rundll32.exe'
55        ImageLoaded|startswith: 'C:\Windows\Installer\'
56        ImageLoaded|endswith:
57            - '.tmp-\Microsoft.Deployment.WindowsInstaller.dll'
58            - '.tmp-\Avira.OE.Setup.CustomActions.dll'
59    filter_main_assembly:
60        Image|startswith:
61            - 'C:\Windows\SysWOW64\'
62            - 'C:\Windows\System32\'
63            - 'C:\Windows\Microsoft.NET\Framework64'
64        Image|endswith: '\RegAsm.exe'
65        ImageLoaded|endswith: '.dll'
66        ImageLoaded|startswith: 'C:\Windows\assembly\NativeImages'
67    filter_optional_klite_codec:
68        Image:
69            - 'C:\Windows\SysWOW64\regsvr32.exe'
70            - 'C:\Windows\System32\regsvr32.exe'
71        ImageLoaded|startswith:
72            - 'C:\Program Files (x86)\K-Lite Codec Pack\'
73            - 'C:\Program Files\K-Lite Codec Pack\'
74    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
75falsepositives:
76    - Unknown
77level: medium

References

Related rules

to-top