Techniques
Sample rules
MSI Module Loaded by Non-System Binary
- source: splunk
- technicques:
- T1574.002
- T1574
Description
The following analytic detects the loading of msi.dll by a binary not located in system32, syswow64, winsxs, or windows directories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 or DLL side-loading attacks, both of which can lead to unauthorized system modifications. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.
Detection logic
`sysmon` EventCode=7 ImageLoaded="*\\msi.dll" NOT (Image IN ("*\\System32\\*","*\\syswow64\\*","*\\windows\\*", "*\\winsxs\\*"))
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode ProcessId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `msi_module_loaded_by_non_system_binary_filter`