Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
DLL Hijacking Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module.
Attacker's Goals
An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
Investigative actions
- Investigate the loaded module to verify if it is malicious.
- Investigate if the loading process and the loaded module reside in legitimate locations.