Adversaries may sideload malicious DLLs from non-system locations to evade standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential DLL injection attacks and mitigate lateral movement risks.
Detection Rule
title: Potential System DLL Sideloading From Non System Locations
id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
status: test
description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
- https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2025-12-03
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\aclui.dll'
- '\activeds.dll'
- '\adsldpc.dll'
- '\aepic.dll'
- '\apphelp.dll'
- '\applicationframe.dll'
- '\appvpolicy.dll'
- '\appxalluserstore.dll'
- '\appxdeploymentclient.dll'
- '\archiveint.dll'
- '\atl.dll'
- '\audioses.dll'
- '\auditpolcore.dll'
- '\authfwcfg.dll'
- '\authz.dll'
- '\avrt.dll'
- '\batmeter.dll'
- '\bcd.dll'
- '\bcp47langs.dll'
- '\bcp47mrm.dll'
- '\bcrypt.dll'
- '\bderepair.dll'
- '\bootmenuux.dll'
- '\bootux.dll'
- '\cabinet.dll'
- '\cabview.dll'
- '\certcli.dll'
- '\certenroll.dll'
- '\cfgmgr32.dll'
- '\cldapi.dll'
- '\clipc.dll'
- '\clusapi.dll'
- '\cmpbk32.dll'
- '\cmutil.dll'
- '\coloradapterclient.dll'
- '\colorui.dll'
- '\comdlg32.dll'
- '\configmanager2.dll'
- '\connect.dll'
- '\coredplus.dll'
- '\coremessaging.dll'
- '\coreuicomponents.dll'
- '\credui.dll'
- '\cryptbase.dll'
- '\cryptdll.dll'
- '\cryptsp.dll'
- '\cryptui.dll'
- '\cryptxml.dll'
- '\cscapi.dll'
- '\cscobj.dll'
- '\cscui.dll'
- '\d2d1.dll'
- '\d3d10_1.dll'
- '\d3d10_1core.dll'
- '\d3d10.dll'
- '\d3d10core.dll'
- '\d3d10warp.dll'
- '\d3d11.dll'
- '\d3d12.dll'
- '\d3d9.dll'
- '\d3dx9_43.dll'
- '\dataexchange.dll'
- '\davclnt.dll'
- '\dcntel.dll'
- '\dcomp.dll'
- '\defragproxy.dll'
- '\desktopshellext.dll'
- '\deviceassociation.dll'
- '\devicecredential.dll'
- '\devicepairing.dll'
- '\devobj.dll'
- '\devrtl.dll'
- '\dhcpcmonitor.dll'
- '\dhcpcsvc.dll'
- '\dhcpcsvc6.dll'
- '\directmanipulation.dll'
- '\dismapi.dll'
- '\dismcore.dll'
- '\dmcfgutils.dll'
- '\dmcmnutils.dll'
- '\dmcommandlineutils.dll'
- '\dmenrollengine.dll'
- '\dmenterprisediagnostics.dll'
- '\dmiso8601utils.dll'
- '\dmoleaututils.dll'
- '\dmprocessxmlfiltered.dll'
- '\dmpushproxy.dll'
- '\dmxmlhelputils.dll'
- '\dnsapi.dll'
- '\dot3api.dll'
- '\dot3cfg.dll'
- '\dpx.dll'
- '\drprov.dll'
- '\drvstore.dll'
- '\dsclient.dll'
- '\dsparse.dll'
- '\dsprop.dll'
- '\dsreg.dll'
- '\dsrole.dll'
- '\dui70.dll'
- '\duser.dll'
- '\dusmapi.dll'
- '\dwmapi.dll'
- '\dwmcore.dll'
- '\dwrite.dll'
- '\dxcore.dll'
- '\dxgi.dll'
- '\dxva2.dll'
- '\dynamoapi.dll'
- '\eappcfg.dll'
- '\eappprxy.dll'
- '\edgeiso.dll'
- '\edputil.dll'
- '\efsadu.dll'
- '\efsutil.dll'
- '\esent.dll'
- '\execmodelproxy.dll'
- '\explorerframe.dll'
- '\fastprox.dll'
- '\faultrep.dll'
- '\fddevquery.dll'
- '\feclient.dll'
- '\fhcfg.dll'
- '\fhsvcctl.dll'
- '\firewallapi.dll'
- '\flightsettings.dll'
- '\fltlib.dll'
- '\framedynos.dll'
- '\fveapi.dll'
- '\fveskybackup.dll'
- '\fvewiz.dll'
- '\fwbase.dll'
- '\fwcfg.dll'
- '\fwpolicyiomgr.dll'
- '\fwpuclnt.dll'
- '\fxsapi.dll'
- '\fxsst.dll'
- '\fxstiff.dll'
- '\getuname.dll'
- '\gpapi.dll'
- '\hid.dll'
- '\hnetmon.dll'
- '\httpapi.dll'
- '\icmp.dll'
- '\idstore.dll'
- '\ieadvpack.dll'
- '\iedkcs32.dll'
- '\iernonce.dll'
- '\iertutil.dll'
- '\ifmon.dll'
- '\ifsutil.dll'
- '\inproclogger.dll'
- '\iphlpapi.dll'
- '\iri.dll'
- '\iscsidsc.dll'
- '\iscsium.dll'
- '\isv.exe_rsaenh.dll'
- '\iumbase.dll'
- '\iumsdk.dll'
- '\joinutil.dll'
- '\kdstub.dll'
- '\ksuser.dll'
- '\ktmw32.dll'
- '\licensemanagerapi.dll'
- '\licensingdiagspp.dll'
- '\linkinfo.dll'
- '\loadperf.dll'
- '\lockhostingframework.dll'
- '\logoncli.dll'
- '\logoncontroller.dll'
- '\lpksetupproxyserv.dll'
- '\lrwizdll.dll'
- '\magnification.dll'
- '\maintenanceui.dll'
- '\mapistub.dll'
- '\mbaexmlparser.dll'
- '\mdmdiagnostics.dll'
- '\mfc42u.dll'
- '\mfcore.dll'
- '\mfplat.dll'
- '\mi.dll'
- '\midimap.dll'
- '\mintdh.dll'
- '\miutils.dll'
- '\mlang.dll'
- '\mmdevapi.dll'
- '\mobilenetworking.dll'
- '\mpr.dll'
- '\mprapi.dll'
- '\mrmcorer.dll'
- '\msacm32.dll'
- '\mscms.dll'
- '\mscoree.dll'
- '\msctf.dll'
- '\msctfmonitor.dll'
- '\msdrm.dll'
- '\msdtctm.dll'
- '\msftedit.dll'
- '\msi.dll'
- '\msiso.dll'
- '\msutb.dll'
- '\msvcp110_win.dll'
- '\mswb7.dll'
- '\mswsock.dll'
- '\msxml3.dll'
- '\mtxclu.dll'
- '\napinsp.dll'
- '\ncrypt.dll'
- '\ndfapi.dll'
- '\netapi32.dll'
- '\netid.dll'
- '\netiohlp.dll'
- '\netjoin.dll'
- '\netplwiz.dll'
- '\netprofm.dll'
- '\netprovfw.dll'
- '\netsetupapi.dll'
- '\netshell.dll'
- '\nettrace.dll'
- '\netutils.dll'
- '\networkexplorer.dll'
- '\newdev.dll'
- '\ninput.dll'
- '\nlaapi.dll'
- '\nlansp_c.dll'
- '\npmproxy.dll'
- '\nshhttp.dll'
- '\nshipsec.dll'
- '\nshwfp.dll'
- '\ntdsapi.dll'
- '\ntlanman.dll'
- '\ntlmshared.dll'
- '\ntmarta.dll'
- '\ntshrui.dll'
- '\oleacc.dll'
- '\omadmapi.dll'
- '\onex.dll'
- '\opcservices.dll'
- '\osbaseln.dll'
- '\osksupport.dll'
- '\osuninst.dll'
- '\p2p.dll'
- '\p2pnetsh.dll'
- '\p9np.dll'
- '\pcaui.dll'
- '\pdh.dll'
- '\peerdistsh.dll'
- '\pkeyhelper.dll'
- '\pla.dll'
- '\playsndsrv.dll'
- '\pnrpnsp.dll'
- '\policymanager.dll'
- '\polstore.dll'
- '\powrprof.dll'
- '\printui.dll'
- '\prntvpt.dll'
- '\profapi.dll'
- '\propsys.dll'
- '\proximitycommon.dll'
- '\proximityservicepal.dll'
- '\prvdmofcomp.dll'
- '\puiapi.dll'
- '\radcui.dll'
- '\rasapi32.dll'
- '\rasdlg.dll'
- '\rasgcw.dll'
- '\rasman.dll'
- '\rasmontr.dll'
- '\reagent.dll'
- '\regapi.dll'
- '\reseteng.dll'
- '\resetengine.dll'
- '\resutils.dll'
- '\rmclient.dll'
- '\rpcnsh.dll'
- '\rsaenh.dll'
- '\rtutils.dll'
- '\rtworkq.dll'
- '\samcli.dll'
- '\samlib.dll'
- '\sapi_onecore.dll'
- '\sas.dll'
- '\scansetting.dll'
- '\scecli.dll'
- '\schedcli.dll'
- '\secur32.dll'
- '\security.dll'
- '\sensapi.dll'
- '\shell32.dll'
- '\shfolder.dll'
- '\slc.dll'
- '\snmpapi.dll'
- '\spectrumsyncclient.dll'
- '\spp.dll'
- '\sppc.dll'
- '\sppcext.dll'
- '\srclient.dll'
- '\srcore.dll'
- '\srmtrace.dll'
- '\srpapi.dll'
- '\srvcli.dll'
- '\ssp_isv.exe_rsaenh.dll'
- '\ssp.exe_rsaenh.dll'
- '\sspicli.dll'
- '\ssshim.dll'
- '\staterepository.core.dll'
- '\structuredquery.dll'
- '\sxshared.dll'
- '\systemsettingsthresholdadminflowui.dll'
- '\tapi32.dll'
- '\tbs.dll'
- '\tdh.dll'
- '\textshaping.dll'
- '\timesync.dll'
- '\tpmcoreprovisioning.dll'
- '\tquery.dll'
- '\tsworkspace.dll'
- '\ttdrecord.dll'
- '\twext.dll'
- '\twinapi.dll'
- '\twinui.appcore.dll'
- '\uianimation.dll'
- '\uiautomationcore.dll'
- '\uireng.dll'
- '\uiribbon.dll'
- '\umpdc.dll'
- '\unattend.dll'
- '\updatepolicy.dll'
- '\upshared.dll'
- '\urlmon.dll'
- '\userenv.dll'
- '\utildll.dll'
- '\uxinit.dll'
- '\uxtheme.dll'
- '\vaultcli.dll'
- '\vdsutil.dll'
- '\version.dll'
- '\virtdisk.dll'
- '\vssapi.dll'
- '\vsstrace.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\wcmapi.dll'
- '\wcnnetsh.dll'
- '\wdi.dll'
- '\wdscore.dll'
- '\webservices.dll'
- '\wecapi.dll'
- '\wer.dll'
- '\wevtapi.dll'
- '\whhelper.dll'
- '\wimgapi.dll'
- '\winbio.dll'
- '\winbrand.dll'
- '\windows.storage.dll'
- '\windows.storage.search.dll'
- '\windows.ui.immersive.dll'
- '\windowscodecs.dll'
- '\windowscodecsext.dll'
- '\windowsudk.shellcommon.dll'
- '\winhttp.dll'
- '\wininet.dll'
- '\winipsec.dll'
- '\winmde.dll'
- '\winmm.dll'
- '\winnsi.dll'
- '\winrnr.dll'
- '\winscard.dll'
- '\winsqlite3.dll'
- '\winsta.dll'
- '\winsync.dll'
- '\wkscli.dll'
- '\wlanapi.dll'
- '\wlancfg.dll'
- '\wldp.dll'
- '\wlidprov.dll'
- '\wmiclnt.dll'
- '\wmidcom.dll'
- '\wmiutils.dll'
- '\wmpdui.dll'
- '\wmsgapi.dll'
- '\wofutil.dll'
- '\wpdshext.dll'
- '\wscapi.dll'
- '\wsdapi.dll'
- '\wshbth.dll'
- '\wshelper.dll'
- '\wsmsvc.dll'
- '\wtsapi32.dll'
- '\wwancfg.dll'
- '\wwapi.dll'
- '\xmllite.dll'
- '\xolehlp.dll'
- '\xpsservices.dll'
- '\xwizards.dll'
- '\xwtpw32.dll'
# From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md
- '\amsi.dll'
- '\appraiser.dll'
- '\COMRES.DLL'
- '\cryptnet.dll'
- '\DispBroker.dll'
- '\dsound.dll'
- '\dxilconv.dll'
- '\FxsCompose.dll'
- '\FXSRESM.DLL'
- '\msdtcVSp1res.dll'
- '\PrintIsolationProxy.dll'
- '\rdpendp.dll'
- '\rpchttp.dll'
- '\storageusage.dll'
- '\utcutil.dll'
- '\WfsR.dll'
# The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)
- '\igd10iumd64.dll'
- '\igd12umd64.dll'
- '\igdumdim64.dll'
- '\igdusc64.dll'
# Other
- '\TSMSISrv.dll'
- '\TSVIPSrv.dll'
- '\wbemcomn.dll'
- '\WLBSCTRL.dll'
- '\wow64log.dll'
- '\WptsExtensions.dll'
filter_main_generic:
# Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
ImageLoaded|contains:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\SyChpe32\' # “hybrid” binaries containing x86-to-ARM stubs to improve the x86 emulation performance
filter_main_windows_temp:
ImageLoaded|startswith: 'C:\Windows\Temp\'
Image|startswith:
- 'C:\Windows\WinSxS\arm64'
- 'C:\Windows\UUS\arm64\'
Image|endswith:
- '\TiWorker.exe'
- '\wuaucltcore.exe'
filter_main_dot_net:
ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
ImageLoaded|endswith: '\cscui.dll'
filter_main_defender:
ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ImageLoaded|endswith: '\version.dll'
filter_main_directx:
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
ImageLoaded|endswith: '\d3dx9_43.dll'
filter_optional_exchange:
ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
ImageLoaded|endswith: '\mswb7.dll'
filter_optional_arsenal_image_mounter:
ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
ImageLoaded|endswith:
- '\mi.dll'
- '\miutils.dl'
filter_optional_office_appvpolicy:
Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
filter_optional_azure:
ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_optional_dell:
Image|contains:
- 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
- 'C:\Windows\System32\backgroundTaskHost.exe'
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
filter_optional_dell_wldp:
Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
Image|endswith: '\wldp.dll'
filter_optional_checkpoint:
Image|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
Image|endswith: '\SmartConsole.exe'
ImageLoaded|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
ImageLoaded|endswith: '\PolicyManager.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications loading their own versions of the DLLs mentioned in this rule
level: high
DeviceImageLoadEvents
| where (FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certcli.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cfgmgr32.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\d3dx9_43.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sensapi.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\textshaping.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsdapi.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wbemcomn.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll") and (not(((FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\SyChpe32\\") or (FolderPath startswith "C:\\Windows\\Temp\\" and (InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\arm64" or InitiatingProcessFolderPath startswith "C:\\Windows\\UUS\\arm64\\") and (InitiatingProcessFolderPath endswith "\\TiWorker.exe" or InitiatingProcessFolderPath endswith "\\wuaucltcore.exe")) or (FolderPath startswith "C:\\Windows\\Microsoft.NET\\" and FolderPath endswith "\\cscui.dll") or (FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" and FolderPath endswith "\\version.dll") or (FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.DirectXRuntime_" and FolderPath endswith "\\d3dx9_43.dll")))) and (not(((FolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\" and FolderPath endswith "\\mswb7.dll") or (FolderPath startswith "C:\\Program Files\\Arsenal-Image-Mounter-" and (FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl")) or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" and FolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll") or FolderPath startswith "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or ((InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe") and FolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs") or (InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and InitiatingProcessFolderPath endswith "\\wldp.dll") or ((InitiatingProcessFolderPath startswith "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe" and (FolderPath startswith "C:\\Program Files\\CheckPoint\\" or FolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\") and FolderPath endswith "\\PolicyManager.dll"))))Scenario: System Update or Patch Installation
Description: A legitimate system update or patch may temporarily place DLLs in non-system directories during installation.
Filter/Exclusion: Check for processes associated with Windows Update (svchost.exe with wuauserv service) or msiexec.exe during patch installation.
Scenario: Scheduled Task Running a Custom Script
Description: A scheduled task may execute a script that dynamically loads a DLL from a non-system directory as part of a legitimate automation process.
Filter/Exclusion: Exclude processes running under a known scheduled task ID (e.g., TaskScheduler or specific task names) or filter by user context (e.g., SYSTEM or a known service account).
Scenario: Antivirus or Security Software Performing a Scan
Description: Antivirus tools like Malwarebytes, Bitdefender, or Kaspersky may temporarily copy or load DLLs from non-system directories during a scan.
Filter/Exclusion: Exclude processes associated with known antivirus vendors (e.g., mbam.exe, bdss.exe, kavsvc.exe) or filter by process name.
Scenario: Admin Task Using dllhost.exe for COM Interop
Description: Administrators may use dllhost.exe to host COM components from non-system directories as part of a legitimate application integration.
Filter/Exclusion: Exclude processes with dllhost.exe that are known to be used by enterprise applications or filter by the specific COM server being hosted.
Scenario: Development Environment Using Local DLLs
Description: Developers may place custom DLLs in project directories for testing or debugging, which can trigger the rule.
Filter/Exclusion: Exclude processes running from development directories (e.g., `C:\Users\Dev\