Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking invol
title: Creation Of Non-Existent System DLL
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
- id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
type: similar
status: test
description: |
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
references:
- http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
- https://github.com/Wh04m1001/SysmonEoP
- https://itm4n.github.io/cdpsvc-dll-hijacking/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
- https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
- https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), fornotes
date: 2022-12-01
modified: 2026-01-24
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- ':\Windows\System32\axeonoffhelper.dll'
- ':\Windows\System32\cdpsgshims.dll'
- ':\Windows\System32\oci.dll'
- ':\Windows\System32\offdmpsvc.dll'
- ':\Windows\System32\shellchromeapi.dll'
- ':\Windows\System32\TSMSISrv.dll'
- ':\Windows\System32\TSVIPSrv.dll'
- ':\Windows\System32\wbem\wbemcomn.dll'
- ':\Windows\System32\WLBSCTRL.dll'
- ':\Windows\System32\wow64log.dll'
- ':\Windows\System32\WptsExtensions.dll'
- '\SprintCSP.dll'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml
imFileEvent
| where TargetFileName endswith ":\\Windows\\System32\\axeonoffhelper.dll" or TargetFileName endswith ":\\Windows\\System32\\cdpsgshims.dll" or TargetFileName endswith ":\\Windows\\System32\\oci.dll" or TargetFileName endswith ":\\Windows\\System32\\offdmpsvc.dll" or TargetFileName endswith ":\\Windows\\System32\\shellchromeapi.dll" or TargetFileName endswith ":\\Windows\\System32\\TSMSISrv.dll" or TargetFileName endswith ":\\Windows\\System32\\TSVIPSrv.dll" or TargetFileName endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or TargetFileName endswith ":\\Windows\\System32\\WLBSCTRL.dll" or TargetFileName endswith ":\\Windows\\System32\\wow64log.dll" or TargetFileName endswith ":\\Windows\\System32\\WptsExtensions.dll" or TargetFileName endswith "\\SprintCSP.dll"| Sentinel Table | Notes |
|---|---|
imFileEvent | Ensure this data connector is enabled |
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneous
Use these Atomic Red Team tests to validate this detection fires correctly: