EXPLORE
Sign In
← Back to Explore
T1129

Shared Modules

Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)). Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that per...

LinuxmacOSWindows
10
Detections
3
Sources
1
Threat Actors

BY SOURCE

8elastic1sigma1splunk_escu

PROCEDURES (8)

Unusual2 detections

Auto-extracted: 2 detections for unusual

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Office1 detections

Auto-extracted: 1 detections for office

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (1)

Mustang Panda

DETECTIONS (10)

Execution via local SxS Shared Module
elasticmedium
ImageLoad via Windows Update Auto Update Client
elasticmedium
Suspicious Execution from Foomatic-rip or Cupsd Parent
elastichigh
Suspicious Execution via Microsoft Office Add-Ins
elasticmedium
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
elastichigh
Unsigned .node File Loaded
sigmamedium
Unsigned DLL loaded by DNS Service
elasticmedium
Unusual Library Load via Python
elastichigh
Windows Executable in Loaded Modules
splunk_escu
WPS Office Exploitation via DLL Hijack
elastichigh