Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
DLL Hijacking Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) |
Severity |
Low |
Description
An unsigned DLL was loaded into a Microsoft signed process.
This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.
Attacker's Goals
An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
Investigative actions
- Investigate the loaded module to verify if it is malicious.
- Investigate if the loading process and the loaded module reside in legitimate locations.
Variations
Possible DLL Hijack of a low entropy DLL into a Microsoft processPossible DLL Side-Loading into a Microsoft process from a suspicious folder
DLL Hijack into a Microsoft process
Possible DLL Hijack into a Microsoft development or framework related process