Phantom DLL Loading

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

DLL Hijacking Analytics

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Hijack Execution Flow: DLL Side-Loading (T1574.002)

Severity

Medium

Description

An attacker might leverage existing processes missing module loads to load malicious code into trusted processes.

Attacker's Goals

An attacker is attempting to load untrusted code into trusted contexts to avoid detection, persist or escalate privileges.

Investigative actions

Investigate the loaded module and verify if it is malicious.