Adversaries may be using files with system DLL names in unexpected locations to evade detection and execute malicious code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or execution tactics early.
Detection Rule
title: Files With System DLL Name In Unsuspected Locations
id: 13c02350-4177-4e45-ac17-cf7ca628ff5e
status: test
description: |
Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
tags:
- attack.defense-evasion
- attack.t1036.005
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
# Note: Add more System DLL that can be abused for DLL sideloading to increase coverage
- '\secur32.dll'
- '\tdh.dll'
filter_main_generic:
# Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
TargetFilename|contains:
# - '\SystemRoot\System32\'
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\uus\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Third party software might bundle specific versions of system DLLs.
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml
imFileEvent
| where (TargetFileName endswith "\\secur32.dll" or TargetFileName endswith "\\tdh.dll") and (not((TargetFileName contains "C:\\$WINDOWS.~BT\\" or TargetFileName contains "C:\\$WinREAgent\\" or TargetFileName contains "C:\\Windows\\SoftwareDistribution\\" or TargetFileName contains "C:\\Windows\\System32\\" or TargetFileName contains "C:\\Windows\\SysWOW64\\" or TargetFileName contains "C:\\Windows\\WinSxS\\" or TargetFileName contains "C:\\Windows\\uus\\")))Scenario: A system update or patching tool (e.g., Microsoft Update, Windows Server Update Services) temporarily creates a file with a system DLL name in a non-standard directory during installation.
Filter/Exclusion: Exclude files created by known update tools using their process names or parent process context (e.g., msiexec.exe, wuauclt.exe).
Scenario: A scheduled task (e.g., via Task Scheduler) runs a legitimate script or application that generates a temporary DLL file with a system DLL name in a working directory.
Filter/Exclusion: Exclude files created by scheduled tasks with known task names or by processes running under a specific user account (e.g., SYSTEM or LocalService).
Scenario: An administrator manually copies a system DLL (e.g., kernel32.dll) to a non-standard location for testing or debugging purposes.
Filter/Exclusion: Exclude files created by processes with elevated privileges (e.g., explorer.exe with RunAs or cmd.exe with runas), or files with a known source path (e.g., C:\Windows\System32).
Scenario: A third-party application (e.g., Adobe Acrobat, Java Runtime Environment) installs a DLL with a system-like name in a non-standard directory as part of its installation.
Filter/Exclusion: Exclude files created by known application installers (e.g., setup.exe, install.exe) or by processes associated with the application (e.g., javaw.exe, AcroRd32.exe).
Scenario: A backup or synchronization tool (e.g., Veeam, rsync, or Dropbox) temporarily stores a system DLL in a user-specific directory during a sync operation.
Filter/Exclusion: Exclude files created by backup tools using their process names or