Synopsis
Description
An unsigned DLL was loaded into a Microsoft signed process.
This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.
Attacker's Goals
An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
Investigative actions
- Investigate the loaded module to verify if it is malicious.
- Investigate if the loading process and the loaded module reside in legitimate locations.
Variations
Possible DLL Hijack of a low entropy DLL into a Microsoft process
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
An unsigned DLL was loaded into a Microsoft signed process.
This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.
Attacker's Goals
An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
Investigative actions
- Investigate the loaded module to verify if it is malicious.
- Investigate if the loading process and the loaded module reside in legitimate locations.
Possible DLL Side-Loading into a Microsoft process from a suspicious folder
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
An unsigned DLL was loaded into a Microsoft signed process.
This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.
Attacker's Goals
An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
Investigative actions
- Investigate the loaded module to verify if it is malicious.
- Investigate if the loading process and the loaded module reside in legitimate locations.
DLL Hijack into a Microsoft process
Synopsis
Description
An unsigned DLL was loaded into a Microsoft signed process.
This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.
Attacker's Goals
An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
Investigative actions
- Investigate the loaded module to verify if it is malicious.
- Investigate if the loading process and the loaded module reside in legitimate locations.
Possible DLL Hijack into a Microsoft development or framework related process
Synopsis
Description
An unsigned DLL was loaded into a Microsoft signed process.
This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.
Attacker's Goals
An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
Investigative actions
- Investigate the loaded module to verify if it is malicious.
- Investigate if the loading process and the loaded module reside in legitimate locations.