Unsigned DLL Hijack into a Microsoft process

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-01-04
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

DLL Hijacking Analytics

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Informational

Description

An unsigned DLL was loaded into a Microsoft signed process.
It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.

Variations

Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Medium

Description

An unsigned DLL was loaded into a Microsoft signed process.
It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.
In addition, The Microsoft process which commonly loads the module as signed,had loaded the module as unsigned, which might indicate an attacker targeting a popular module name.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Rare and unsigned DLL into an injected Microsoft process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Medium

Description

An unsigned DLL was loaded into a Microsoft signed process.
It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Unsigned DLL Hijack of a low entropy DLL into a Microsoft process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

An unsigned DLL was loaded into a Microsoft signed process.
It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Unsigned DLL Hijack of a high entropy DLL into a Microsoft process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

An unsigned DLL was loaded into a Microsoft signed process.
It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Unsigned DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

An unsigned DLL was loaded into a Microsoft signed process.
It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.


Unsigned DLL Hijack into a recently created Microsoft process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow: DLL (T1574.001)

Severity

Low

Description

An unsigned DLL was loaded into a Microsoft signed process.
It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.

Attacker's Goals

An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.

Investigative actions

  • Investigate the loaded module to verify if it is malicious.
  • Investigate if the loading process and the loaded module reside in legitimate locations.