← Back to Explore
sigmamediumHunting
Creation Of Non-Existent System DLL
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
Detection Query
selection:
TargetFilename|endswith:
- :\Windows\System32\axeonoffhelper.dll
- :\Windows\System32\cdpsgshims.dll
- :\Windows\System32\oci.dll
- :\Windows\System32\offdmpsvc.dll
- :\Windows\System32\shellchromeapi.dll
- :\Windows\System32\TSMSISrv.dll
- :\Windows\System32\TSVIPSrv.dll
- :\Windows\System32\wbem\wbemcomn.dll
- :\Windows\System32\WLBSCTRL.dll
- :\Windows\System32\wow64log.dll
- :\Windows\System32\WptsExtensions.dll
- \SprintCSP.dll
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems), fornotes
Created
2022-12-01
Data Sources
windowsFile Events
Platforms
windows
References
- http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
- https://github.com/Wh04m1001/SysmonEoP
- https://itm4n.github.io/cdpsvc-dll-hijacking/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
- https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
- https://x.com/0gtweet/status/1564131230941122561
Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001
Raw Content
title: Creation Of Non-Existent System DLL
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
- id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
type: similar
status: test
description: |
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
references:
- http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
- https://github.com/Wh04m1001/SysmonEoP
- https://itm4n.github.io/cdpsvc-dll-hijacking/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
- https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
- https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), fornotes
date: 2022-12-01
modified: 2026-01-24
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- ':\Windows\System32\axeonoffhelper.dll'
- ':\Windows\System32\cdpsgshims.dll'
- ':\Windows\System32\oci.dll'
- ':\Windows\System32\offdmpsvc.dll'
- ':\Windows\System32\shellchromeapi.dll'
- ':\Windows\System32\TSMSISrv.dll'
- ':\Windows\System32\TSVIPSrv.dll'
- ':\Windows\System32\wbem\wbemcomn.dll'
- ':\Windows\System32\WLBSCTRL.dll'
- ':\Windows\System32\wow64log.dll'
- ':\Windows\System32\WptsExtensions.dll'
- '\SprintCSP.dll'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml