A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-10

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags	DLL Hijacking Analytics
ATT&CK Tactic	Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
ATT&CK Technique	Hijack Execution Flow: DLL (T1574.001)
Severity	Informational

Description

A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

Investigate the loaded module to verify if it is malicious.
Investigate if the loading process and the loaded module reside in legitimate locations.

Variations

A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Medium

Description

A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

Investigate the loaded module to verify if it is malicious.
Investigate if the loading process and the loaded module reside in legitimate locations.

A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by unsigned causality actor

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Medium

Description

A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

Investigate the loaded module to verify if it is malicious.
Investigate if the loading process and the loaded module reside in legitimate locations.

A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

Investigate the loaded module to verify if it is malicious.
Investigate if the loading process and the loaded module reside in legitimate locations.

A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

Investigate the loaded module to verify if it is malicious.
Investigate if the loading process and the loaded module reside in legitimate locations.

A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

Investigate the loaded module to verify if it is malicious.
Investigate if the loading process and the loaded module reside in legitimate locations.

A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

Investigate the loaded module to verify if it is malicious.
Investigate if the loading process and the loaded module reside in legitimate locations.

A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

Investigate the loaded module to verify if it is malicious.
Investigate if the loading process and the loaded module reside in legitimate locations.