Unsigned DLL Side-Loading

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-03-10
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

DLL Hijacking Analytics

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Informational

Description

A signed process loaded an unsigned and rare module from the same folder.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.

Variations

DLL Side-Loading of module bearing an invalid Microsoft signature

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

High

Description

A signed process loaded an unsigned and rare module from the same folder.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Medium

Description

A signed process loaded an unsigned and rare module from the same folder.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Unsigned DLL Side-Loading to a signed microsoft process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

A signed process loaded an unsigned and rare module from the same folder.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Unsigned DLL Side-Loading - DLL downloaded from an uncommon source

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

A signed process loaded an unsigned and rare module from the same folder.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Unsigned high entropy DLL Side-Loading by untrusted causality actor

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

A signed process loaded an unsigned and rare module from the same folder.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.