Attackers may exploit DLL search order hijacking by creating folders with additional spaces in the path to mimic legitimate system directories and load malicious DLLs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement and code execution attempts leveraging Windows’ DLL resolution mechanism.
Detection Rule
title: DLL Search Order Hijackig Via Additional Space in Path
id: b6f91281-20aa-446a-b986-38a92813a18f
status: test
description: |
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
references:
- https://twitter.com/cyb3rops/status/1552932770464292864
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-30
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1574.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith:
- 'C:\Windows \'
- 'C:\Program Files \'
- 'C:\Program Files (x86) \'
TargetFilename|endswith: '.dll'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFileName startswith "C:\\Windows \\" or TargetFileName startswith "C:\\Program Files \\" or TargetFileName startswith "C:\\Program Files (x86) \\") and TargetFileName endswith ".dll"Scenario: A system administrator creates a folder named C:\Windows Program Files\MyApp to organize custom applications, and places a malicious DLL in this folder to test DLL loading behavior.
Filter/Exclusion: Check for folder names that contain spaces and are created by known administrative tools (e.g., mklink, robocopy, or xcopy). Exclude folders created by users with elevated privileges and with names that match standard Windows folder structures.
Scenario: A scheduled job runs a script that copies legitimate DLLs into a folder named C:\Windows\System32 MyApp to ensure compatibility with applications that expect DLLs in such locations.
Filter/Exclusion: Exclude folders that are created by scheduled tasks or scripts with known legitimate purposes. Use a filter to check for folder creation by system services or scheduled tasks with known names (e.g., TaskScheduler or Windows Task Scheduler).
Scenario: A developer uses the mklink command to create a symbolic link from C:\Windows\System32\mydll.dll to a custom DLL located in C:\MyDevTools\mydll.dll for testing purposes.
Filter/Exclusion: Exclude entries where the folder or file path includes symbolic links created by mklink or other legitimate system utilities. Check for the presence of mklink in the command history or process tree.
Scenario: A user installs a third-party application that creates a folder named C:\Program Files (x86) MyApp during installation, and the application places its own DLLs in this folder.
Filter/Exclusion: Exclude folders that are created by known legitimate software installers (e.g., InstallShield, NSIS, or Inno Setup). Use a filter to check for folder creation by trusted software publishers or installers.
Scenario: A system update or