EXPLORE
Sign In
← Back to Explore
T1129

Shared Modules

Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)). Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that per...

LinuxmacOSWindows
14
Detections
3
Sources
1
Threat Actors

BY SOURCE

8elastic5splunk_escu1sigma

PROCEDURES (13)

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Office1 detections

Auto-extracted: 1 detections for office

Office1 detections

Auto-extracted: 1 detections for office

Child Process1 detections

Auto-extracted: 1 detections for child process

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Evasion1 detections

Auto-extracted: 1 detections for evasion

Unusual1 detections

Auto-extracted: 1 detections for unusual

Office1 detections

Auto-extracted: 1 detections for office

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

Child Process1 detections

Auto-extracted: 1 detections for child process

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

THREAT ACTORS (1)

Mustang Panda

DETECTIONS (14)

Execution via local SxS Shared Module
elasticmedium
ImageLoad via Windows Update Auto Update Client
elasticmedium
Suspicious Execution from Foomatic-rip or Cupsd Parent
elastichigh
Suspicious Execution via Microsoft Office Add-Ins
elasticmedium
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
elastichigh
Unsigned .node File Loaded
sigmamedium
Unsigned DLL loaded by DNS Service
elasticmedium
Unusual Library Load via Python
elastichigh
Windows Executable in Loaded Modules
splunk_escu
Windows PowerShell Module File Created
splunk_escu
Windows PowerShell Script TabExpansion Direct Call
splunk_escu
Windows Remote Image Load
splunk_escu
Windows XLL File Creation Outside of Typical Location
splunk_escu
WPS Office Exploitation via DLL Hijack
elastichigh