Possible DLL Side-Loading

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL Side-Loading (T1574.002)

Severity

Informational

Description

An attacker might abuse the Windows DLL search order by planting in the same folder a signed binary that will load the attacker's malicious module.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.

Variations

Possible DLL Side-Loading of a module with highly suspicious characteristics

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL Side-Loading (T1574.002)

Severity

Medium

Description

An attacker might abuse the Windows DLL search order by planting in the same folder a signed binary that will load the attacker's malicious module.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Globally Uncommon DLL Side-Loading

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL Side-Loading (T1574.002)

Severity

Low

Description

An attacker might abuse the Windows DLL search order by planting in the same folder a signed binary that will load the attacker's malicious module.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Possible DLL Side-Loading of a module with suspicious characteristics

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL Side-Loading (T1574.002)

Severity

Low

Description

An attacker might abuse the Windows DLL search order by planting in the same folder a signed binary that will load the attacker's malicious module.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Possible DLL Side-Loading by a known actor in the organization

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL Side-Loading (T1574.002)

Severity

Low

Description

An attacker might abuse the Windows DLL search order by planting in the same folder a signed binary that will load the attacker's malicious module.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.