Phantom DLL Loading

Synopsis

Description

An attacker might leverage existing processes missing module loads to load malicious code into trusted processes.

Attacker's Goals

An attacker is attempting to load untrusted code into trusted contexts to avoid detection, persist or escalate privileges.

Investigative actions

Investigate the loaded module and verify if it is malicious.

Variations

Phantom DLL Loading was used to load a DLL into a process after it was extracted from an internent-downloaded archive
Phantom DLL Loading was used to load a DLL into a process after it was downloaded from an uncommon source