This note documents detection patterns related to DLL Hijacking / DLL Proxying within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 7 | Image loaded | Critical | Primary telemetry for suspicious DLL load path anomalies. |
| Sysmon | 1 | Process creation | Critical | Shows vulnerable executable launching before malicious DLL load. |
| Security | 4688 | Process creation | High | Correlates triggering binary and user context. |
| Sysmon | 11 | File create | Critical | Detect malicious DLL placement in hijack path. |
| Sysmon | 23 | File delete | Medium | Cleanup after execution. |
| Sysmon | 13 | Registry value set | High | Registry redirection may support hijack path manipulation. |
| Sysmon | 12 | Registry object create/delete | Medium | Side indicator if COM/DLL registration involved. |
| Sysmon | 10 | Process access | Medium | Supports chained injection after load. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Unsigned DLL loaded from writable path | Temp, user profile, app folder | Critical | Strong hijack signal. |
| Legitimate EXE loads DLL from local directory | Local folder before system path | Critical | Classic search order abuse. |
| New DLL beside signed binary | Same timestamp proximity | Critical | Very common hijack pattern. |
| DLL name matches known dependency | Version.dll, winmm.dll, dbghelp.dll | High | Frequent attacker choice. |
| Process starts then outbound connection begins | DLL payload activates beacon | High | Common proxy DLL behavior. |
| Legitimate app crashes but child survives | Proxy DLL exports partial functions | Medium | Operational clue. |
| Rare DLL loaded by signed binary | Baseline deviation | High | Valuable in EDR hunts. |
Common Tools
| Tool | Usage |
|---|---|
| rundll32.exe | Trigger malicious DLL directly |
| regsvr32.exe | Register proxy DLL |
| custom loader | Launch signed vulnerable EXE |
| ProcMon | Observe DLL load order |
| Process Explorer | Loaded module inspection |
| PowerShell | Drop DLL into target path |
| accesschk.exe | Verify writable folders |
Relevant Artifacts
- Sysmon Event ID 7
- Sysmon Event ID 11
- Sysmon Event ID 1
- Security Event ID 4688
- Prefetch for triggering EXE
- Amcache for dropped DLL
- ShimCache for execution history
- MFT / USN Journal for DLL creation
- PE metadata of malicious DLL
- Export table anomalies
- EDR module load telemetry
MITRE ATT&CK References
- T1574.001 DLL Search Order Hijacking
- T1574.002 DLL Side-Loading
- T1218 Signed Binary Proxy Execution
Decision Tree
-
Which executable loaded suspicious DLL?
- Parent process
- Signed status
-
DLL path expected?
- System32?
- App folder?
- User-writable path?
-
DLL signed?
- Hash
- Signature
- Export table
-
Was DLL recently dropped?
- Check Sysmon 11
- MFT timeline
-
Expand:
- Network activity
- Child processes
- Persistence
-
Scope:
- Single binary abuse
- Multiple hosts
- Shared payload
Example Detection Templates
KQL
Sysmon
| where EventID == 7
| where ImageLoaded !startswith @"C:\Windows\System32"
| project TimeGenerated, Computer, Image, ImageLoaded, Signed
Sysmon
| where EventID == 11
| where TargetFilename endswith ".dll"
| project TimeGenerated, Computer, User, TargetFilename
EQL
library where dll.path like "C:\\Users\\%\\*.dll"
sequence by host.name with maxspan=5m
[ file where file.path like "*.dll" ]
[ process where process.name != null ]
Sigma
title: DLL Hijacking Or Proxying Detection
id: a8d3c991-dll-hijack
status: experimental
description: Detects suspicious DLL load outside expected system paths
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
filter:
ImageLoaded|startswith: 'C:\Windows\System32'
condition: selection and not filter
fields:
- Image
- ImageLoaded
falsepositives:
- Portable applications
level: high
tags:
- attack.persistence
- attack.t1574.001
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Safe DLL search mode | Keep enabled | Critical | Reduces local hijack abuse |
| Folder ACLs | Remove write access near signed binaries | Critical | Core defense |
| Sysmon module logging | Enable Event 7 selectively | High | Required visibility |
| Application allowlisting | WDAC / AppLocker | High | Restrict rogue DLL load |
| Baseline signed modules | Know expected modules | High | Detect drift quickly |