EXPLORE
Sign In
← Back to Explore
T1574.001

DLL

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42) Specific ways DLLs are abused by adversaries include: ### DLL Sideloading Adversaries may exec...

Windows
106
Detections
4
Sources
32
Threat Actors

BY SOURCE

79sigma15splunk_escu11elastic1crowdstrike_cql

PROCEDURES (41)

Dll Side39 detections

Auto-extracted: 39 detections for dll side

Module Load Monitoring6 detections

Auto-extracted: 6 detections for module load monitoring

Process Creation Monitoring5 detections

Auto-extracted: 5 detections for process creation monitoring

Privilege4 detections

Auto-extracted: 4 detections for privilege

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Registry3 detections

Auto-extracted: 3 detections for registry

Azure2 detections

Auto-extracted: 2 detections for azure

Bypass2 detections

Auto-extracted: 2 detections for bypass

Dns2 detections

Auto-extracted: 2 detections for dns

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Dll Hijack2 detections

Auto-extracted: 2 detections for dll hijack

Dll Hijack2 detections

Auto-extracted: 2 detections for dll hijack

Api2 detections

Auto-extracted: 2 detections for api

Persist2 detections

Auto-extracted: 2 detections for persist

Dll Side2 detections

Auto-extracted: 2 detections for dll side

Office2 detections

Auto-extracted: 2 detections for office

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Service1 detections

Auto-extracted: 1 detections for service

Child Process1 detections

Auto-extracted: 1 detections for child process

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Service1 detections

Auto-extracted: 1 detections for service

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Api1 detections

Auto-extracted: 1 detections for api

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Dns1 detections

Auto-extracted: 1 detections for dns

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Dll Hijack1 detections

Auto-extracted: 1 detections for dll hijack

Api1 detections

Auto-extracted: 1 detections for api

Unusual1 detections

Auto-extracted: 1 detections for unusual

Child Process1 detections

Auto-extracted: 1 detections for child process

Service1 detections

Auto-extracted: 1 detections for service

Dll Side1 detections

Auto-extracted: 1 detections for dll side

Bypass1 detections

Auto-extracted: 1 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (32)

APT19APT3APT32APT41Aquatic PandaBackdoorDiplomacyBlackTechBRONZE BUTLERChimeraCinnamon TempestDaggerflyEarth LuscaEvilnumFIN13GALLIUMHigaisaLazarus GroupLuminousMothmenuPassMuddyWaterMustang PandaNaikonPatchworkRTMSideCopySidewinderStorm-1811Threat Group-3390Tonto TeamTropic TrooperVelvet AntWhitefly

DETECTIONS (106)

Aruba Network Service Potential DLL Sideloading
sigmahigh
Creation Of Non-Existent System DLL
sigmamedium
Creation of WerFault.exe/Wer.dll in Unusual Folder
sigmamedium
Deprecated - Suspicious PrintSpooler Service Executable File Creation
elasticlow
DHCP Callout DLL Installation
sigmahigh
DHCP Server Error Failed Loading the CallOut DLL
sigmahigh
DHCP Server Loaded the CallOut DLL
sigmahigh
DLL Search Order Hijackig Via Additional Space in Path
sigmahigh
DLL Sideloading by VMware Xfer Utility
sigmahigh
DLL Sideloading Of ShellChromeAPI.DLL
sigmahigh
Dll-Side Loading Detection Query
crowdstrike_cql
DNS Server Error Failed Loading the ServerLevelPluginDLL
sigmahigh
Execution via local SxS Shared Module
elasticmedium
Fax Service DLL Search Order Hijack
sigmahigh
HackTool - Powerup Write Hijack DLL
sigmahigh
Malicious DLL File Dropped in the Teams or OneDrive Folder
sigmahigh
Microsoft Defender Blocked from Loading Unsigned DLL
sigmahigh
Microsoft Office DLL Sideload
sigmahigh
MSI Module Loaded by Non-System Binary
splunk_escu
Msmpeng Application DLL Side Loading
splunk_escu
New DNS ServerLevelPluginDll Installed
sigmahigh
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
sigmahigh
Potential 7za.DLL Sideloading
sigmalow
Potential Antivirus Software DLL Sideloading
sigmamedium
Potential appverifUI.DLL Sideloading
sigmahigh
Potential AVKkid.DLL Sideloading
sigmamedium
Potential Azure Browser SSO Abuse
sigmalow
Potential CCleanerDU.DLL Sideloading
sigmamedium
Potential CCleanerReactivator.DLL Sideloading
sigmamedium
Potential Chrome Frame Helper DLL Sideloading
sigmamedium
Potential DLL Side-Loading via Trusted Microsoft Programs
elasticmedium
Potential DLL Sideloading Of DBGCORE.DLL
sigmamedium
Potential DLL Sideloading Of DBGHELP.DLL
sigmamedium
Potential DLL Sideloading Of DbgModel.DLL
sigmamedium
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
sigmahigh
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
sigmamedium
Potential DLL Sideloading Of MpSvc.DLL
sigmamedium
Potential DLL Sideloading Of MsCorSvc.DLL
sigmamedium
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
sigmahigh
Potential DLL Sideloading Via ClassicExplorer32.dll
sigmamedium
Potential DLL Sideloading Via comctl32.dll
sigmahigh
Potential DLL Sideloading Via DeviceEnroller.EXE
sigmamedium
Potential DLL Sideloading Via JsSchHlp
sigmamedium
Potential DLL Sideloading Via VMware Xfer
sigmahigh
Potential EACore.DLL Sideloading
sigmahigh
Potential Edputil.DLL Sideloading
sigmahigh
Potential Goopdate.DLL Sideloading
sigmamedium
Potential Initial Access via DLL Search Order Hijacking
sigmamedium
Potential Iviewers.DLL Sideloading
sigmahigh
Potential JLI.dll Side-Loading
sigmahigh
Potential Libvlc.DLL Sideloading
sigmamedium
Potential Mfdetours.DLL Sideloading
sigmamedium
Potential Mpclient.DLL Sideloading
sigmahigh
Potential Mpclient.DLL Sideloading Via Defender Binaries
sigmahigh
Potential Python DLL SideLoading
sigmamedium
Potential Rcdll.DLL Sideloading
sigmahigh
Potential RjvPlatform.DLL Sideloading From Default Location
sigmamedium
Potential RjvPlatform.DLL Sideloading From Non-Default Location
sigmahigh
Potential RoboForm.DLL Sideloading
sigmamedium
Potential ShellDispatch.DLL Sideloading
sigmamedium
Potential SmadHook.DLL Sideloading
sigmahigh
Potential SolidPDFCreator.DLL Sideloading
sigmamedium
Potential System DLL Sideloading From Non System Locations
sigmahigh
Potential Vivaldi_elf.DLL Sideloading
sigmamedium
Potential Waveedit.DLL Sideloading
sigmahigh
Potential Wazuh Security Platform DLL Sideloading
sigmamedium
Potential Windows Session Hijacking via CcmExec
elasticmedium
Potential WWlib.DLL Sideloading
sigmamedium
Potentially Suspicious Child Process of KeyScrambler.exe
sigmamedium
Registry Modification for OCI DLL Redirection
sigmahigh
Renamed Vmnat.exe Execution
sigmahigh
Suspicious Antimalware Scan Interface DLL
elastichigh
Suspicious DLL Loaded for Persistence or Privilege Escalation
elastichigh
Suspicious GUP Usage
sigmahigh
Suspicious Microsoft Antimalware Service Execution
elastichigh
Suspicious Unsigned Thor Scanner Execution
sigmahigh
System Control Panel Item Loaded From Uncommon Location
sigmahigh
Tasks Folder Evasion
sigmahigh
Third Party Software DLL Sideloading
sigmamedium
UAC Bypass Attempt via Privileged IFileOperation COM Interface
elastichigh
UAC Bypass With Fake DLL
sigmahigh
Unsigned .node File Loaded
sigmamedium
Unsigned Binary Loaded From Suspicious Location
sigmahigh
Unsigned DLL Side-Loading from a Suspicious Folder
elasticmedium
Unsigned Mfdetours.DLL Sideloading
sigmahigh
Unsigned Module Loaded by ClickOnce Application
sigmamedium
Untrusted DLL Loaded by Azure AD Sync Service
elastichigh
Use Of Hidden Paths Or Files
sigmalow
VMGuestLib DLL Sideload
sigmamedium
VMMap Signed Dbghelp.DLL Potential Sideloading
sigmamedium
VMMap Unsigned Dbghelp.DLL Potential Sideloading
sigmahigh
Windows DLL Search Order Hijacking Hunt with Sysmon
splunk_escu
Windows DLL Search Order Hijacking with iscsicpl
splunk_escu
Windows DLL Side-Loading In Calc
splunk_escu
Windows DLL Side-Loading Process Child Of Calc
splunk_escu
Windows Hijack Execution Flow Version Dll Side Load
splunk_escu
Windows Known Abused DLL Created
splunk_escu
Windows Known Abused DLL Loaded Suspiciously
splunk_escu
Windows Known GraphicalProton Loaded Modules
splunk_escu
Windows Masquerading Explorer As Child Process
splunk_escu
Windows SqlWriter SQLDumper DLL Sideload
splunk_escu
Windows Unsigned DLL Side-Loading
splunk_escu
Windows Unsigned DLL Side-Loading In Same Process Path
splunk_escu
Windows Unsigned MS DLL Side-Loading
splunk_escu
WPS Office Exploitation via DLL Hijack
elastichigh
Xwizard.EXE Execution From Non-Default Location
sigmahigh