Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1547 | Boot or Logon Autostart Execution |
Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. |
|
| .002 | Authentication Package |
Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key |
||
| .003 | Time Providers |
There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. [5] |
||
| .004 | Winlogon Helper DLL |
New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. |
||
| .005 | Security Support Provider |
Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key |
||
| .008 | LSASS Driver |
Also monitor DLL load operations in lsass.exe. [6] |
||
| .010 | Port Monitors |
Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious. |
||
| .012 | Print Processors |
Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. New print processor DLLs are written to the print processor directory. |
||
| Enterprise | T1059 | Command and Scripting Interpreter |
Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll). |
|
| .001 | PowerShell |
Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).[7][8] |
||
| .005 | Visual Basic |
Monitor for the loading of modules associated with VB languages (ex: vbscript.dll). |
||
| .007 | JavaScript |
Monitor for the loading of modules associated with scripting languages (ex: JScript.dll). |
||
| Enterprise | T1546 | Event Triggered Execution |
Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. |
|
| .006 | LC_LOAD_DYLIB Addition |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
||
| .007 | Netsh Helper DLL |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
||
| .009 | AppCert DLLs |
Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Tools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. [9] [10] |
||
| .010 | AppInit DLLs |
Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. |
||
| .011 | Application Shimming |
Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. |
||
| .015 | Component Object Model Hijacking |
Likewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed. |
||
| Enterprise | T1574 | Hijack Execution Flow |
Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. |
|
| .001 | DLL Search Order Hijacking |
Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. |
||
| .002 | DLL Side-Loading |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
||
| .004 | Dylib Hijacking |
Monitor for dynamic libraries being loaded. Run path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, and LC_RPATH. Other special keywords are recognized by the macOS loader are @rpath, @loader_path, and @executable_path.[11] These loader instructions can be examined for individual binaries or frameworks using the otool -l command. Objective-See's Dylib Hijacking Scanner can be used to identify applications vulnerable to dylib hijacking |
||
| .005 | Executable Installer File Permissions Weakness |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
||
| .006 | Dynamic Linker Hijacking |
Monitor library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. |
||
| .012 | COR_PROFILER |
Monitor DLL files that are associated with COR_PROFILER environment variables. |
||
| Enterprise | T1559 | Inter-Process Communication |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
|
| .001 | Component Object Model |
Monitor for COM objects loading DLLs and other modules not typically associated with the application.[12] |
||
| .002 | Dynamic Data Exchange |
Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe). |
||
| Enterprise | T1556 | Modify Authentication Process |
Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Password filters will also show up as an autorun and loaded DLL in lsass.exe.[13] |
|
| .002 | Password Filter DLL |
Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Password filters will also show up as an autorun and loaded DLL in lsass.exe.[13] |
||
| Enterprise | T1106 | Native API |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Utilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. |
|
| Enterprise | T1137 | Office Application Startup |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
|
| .002 | Office Test |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
||
| Enterprise | T1055 | Process Injection |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
|
| .001 | Dynamic-link Library Injection |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
||
| .014 | VDSO Hijacking |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
||
| Enterprise | T1620 | Reflective Code Loading |
Monitor for artifacts of abnormal process execution. For example, a common signature related to reflective code loading on Windows is mechanisms related to the .NET Common Language Runtime (CLR) -- such as mscor.dll, mscoree.dll, and clr.dll -- loading into abnormal processes (such as notepad.exe) |
|
| Enterprise | T1021 | Remote Services |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes, that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. |
|
| .003 | Distributed Component Object Model |
Monitor for COM objects loading DLLs and other modules not typically associated with the application.[14] |
||
| Enterprise | T1505 | .005 | Server Software Component: Terminal Services DLL |
Monitor module loads by the Terminal Services process (ex: |
| Enterprise | T1129 | Shared Modules |
Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to |
|
| Enterprise | T1553 | Subvert Trust Controls |
Enable CryptoAPI v2 (CAPI) event logging [15] to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). [16] |
|
| .003 | SIP and Trust Provider Hijacking |
Enable CryptoAPI v2 (CAPI) event logging [15] to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). [16] |
||
| Enterprise | T1218 | System Binary Proxy Execution |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
|
| .002 | Control Panel |
Monitor for DLL/PE file events, such as the |
||
| .007 | Msiexec |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
||
| .008 | Odbcconf |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
||
| .010 | Regsvr32 |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
||
| .011 | Rundll32 |
Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls. |
||
| Enterprise | T1220 | XSL Script Processing |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
|