Rule Info
Name
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
Author
Nasreddine Bencherchali (Nextron Systems), SBousseaden
Description
Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts.
Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Date
2022-12-09 00:00:00
Modified
2026-01-24 00:00:00
Id
6b98b92b-4f00-4f62-b4fe-4d1920215771
Tags
attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.001
Type
Community Rule
Link to Public Repo
Rule History
Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
Swachchhanda Shrawan Poudel
Merge PR #5749 from @swachchhanda000 - Update Phantom DLL hijacking Rules
2026-01-24
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
Nasreddine Bencherchali
Merge PR #4662 from @nasbench - Updated and added new rules
2024-01-10
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
Scan your endpoints, forensic images or collected files with our portable scanner THOR