Adhesive.dll Bypass

User-mode hooks are fallible. Use kernel callbacks (e.g., ObRegisterCallbacks, PsSetCreateProcessNotifyRoutineEx) to monitor process creation, memory allocation, and handle operations. These operate below the user-mode hook layer.

An attacker gains initial foothold on a workstation. They discover a network backup utility running as SYSTEM that tries to load reporting.dll from its local folder. The attacker replaces it with adhesive.dll (a proxy to the original + reverse shell). When the backup agent runs, the adversary gets a SYSTEM shell on the backup server, bypassing network segmentation controls. adhesive.dll bypass

title: Suspicious DLL Load from Temp Folder by Trusted Binary
status: experimental
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 7
    Image: C:\Windows\System32\svchost.exe
    ImageLoaded: C:\Users\*\AppData\Local\Temp\*.dll
  condition: selection