Think you have a false positive on this rule?

Sid 1-49781


FILE-OTHER Go binary dll-load exploit attempt


This event is generated when a download of kernel32.dll is detected.


Attempted User Privilege Gain

Detailed information

Go binaries from before version 1.12.2 will run any arbitrary kernel32.dll, winmm.dll, and ws2_32.dll in the same directory path, possibly leading to remote code execution.

Affected systems

Ease of attack

False positives

False negatives

Corrective action


  • Cisco Talos Intelligence Group

Additional References