EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Windows Unsigned DLL Side-Loading In Same Process Path

This detection identifies unsigned DLLs loaded through DLL side-loading with same file path with the process loaded the DLL, a technique observed in DarkGate malware. This detection monitors DLL loading, verifies signatures, and flags unsigned DLLs. Suspicious file paths and known executable associations are checked. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats.

MITRE ATT&CK

T1574.001
persistenceprivilege-escalationdefense-evasion

Detection Query

`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program Files*")) NOT (ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program Files*")) |  rex field=Image "(?<ImageFolderPath>.+\\\)" |  rex field=ImageLoaded "(?<ImageLoadedFolderPath>.+\\\)" |  where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_in_same_process_path_filter`

Author

Teoderick Contreras, Splunk

Created

2026-03-10

Data Sources

Sysmon EventID 7

References

Tags

PlugXDarkGate MalwareDerusbiChina-Nexus Threat ActivityMalicious Inno Setup LoaderSalt TyphoonXWormSnappyBeeNailaoLocker RansomwareLokibotSolarWinds WHD RCE Post Exploitation
Raw Content
name: Windows Unsigned DLL Side-Loading In Same Process Path
id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f
version: 18
date: '2026-03-10'
author: Teoderick Contreras, Splunk
type: TTP
status: production
description: This detection identifies unsigned DLLs loaded through DLL side-loading with same file path with the process loaded the DLL, a technique observed in DarkGate malware. This detection monitors DLL loading, verifies signatures, and flags unsigned DLLs. Suspicious file paths and known executable associations are checked. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats.
data_source:
    - Sysmon EventID 7
search: '`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program Files*")) NOT (ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program Files*")) |  rex field=Image "(?<ImageFolderPath>.+\\\)" |  rex field=ImageLoaded "(?<ImageLoadedFolderPath>.+\\\)" |  where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_in_same_process_path_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
known_false_positives: No false positives have been identified at this time.
references:
    - https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html
    - https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: An unsigned dll module was loaded on $dest$
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - PlugX
        - DarkGate Malware
        - Derusbi
        - China-Nexus Threat Activity
        - Malicious Inno Setup Loader
        - Salt Typhoon
        - XWorm
        - SnappyBee
        - NailaoLocker Ransomware
        - Lokibot
        - SolarWinds WHD RCE Post Exploitation
    asset_type: Endpoint
    mitre_attack_id:
        - T1574.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_process_path.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog