Analytics Alerts
Browse the Cortex analytics alert reference.
10 alerts match the current filters. tactic: TA0003 ✕ technique: T1574 ✕
Show ATT&CK heatmapA rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process Informational 8 variations
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by untrusted causality actor
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by a scheduled task
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
Autorun.inf created in root C drive Medium
An autorun file installed at the root of a C:\ drive is suspicious, as autorun files are typically associated with removable drives.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Lateral Movement (TA0008)ATT&CK techniques: Hijack Execution Flow: Services File Permissions Weakness (T1574.010) Replication Through Removable Media (T1091)Required data: XDR AgentAttacker's goals: The Autorun and AutoPlay components of Microsoft Windows operating systems may use 'Autorun.inf' to automatically execute a program (without user interaction). Adversaries can manipulate this mechanism to run a malicious program.Investigative actions: Read the content of the 'Autorun.inf' file from the root directory folder of the drive (the file may be hidden).Modification of the AD FS IdentityServer configuration file Informational Identity Analytics 1 variation
The AD FS service configuration file was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow (T1574)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Federation Services AnalyticsAttacker's goals: The attacker's goal is to establish a persistent, high-privilege backdoor by forcing the service to load a malicious configuration that enables remote code execution and the bypass of security controls like MFA.Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Investigate the process and user that performed the write operation for signs of compromise.Variations
Suspicious Modification of the AD FS IdentityServer configuration file
Low overridden
The AD FS service configuration file was modified. overridden
Phantom DLL Loading Medium 2 variations
An attacker might leverage existing processes missing module loads to load malicious code into trusted processes.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection, persist or escalate privileges.Investigative actions: Investigate the loaded module and verify if it is malicious.Variations
Phantom DLL Loading was used to load a DLL into a process after it was extracted from an internet-downloaded archive
High overridden
An attacker might leverage existing processes missing module loads to load malicious code into trusted processes. overridden
Phantom DLL Loading was used to load a DLL into a process after it was downloaded from an uncommon source
High overridden
An attacker might leverage existing processes missing module loads to load malicious code into trusted processes. overridden
Possible DLL Hijack into a Microsoft process Informational 6 variations
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Possible DLL Hijack of a low entropy DLL into a Microsoft process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Side-Loading into a Microsoft process from a suspicious folder
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
DLL Hijack into a Microsoft process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft development or framework related process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft process - the DLL was extracted from an internet-downloaded archive
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Search Order Hijacking Low 3 variations
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) Hijack Execution Flow: Path Interception by PATH Environment Variable (T1574.007) Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009) Hijack Execution Flow: Path Interception by Search Order Hijacking (T1574.008)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Possible DLL Search Order Hijacking by DLL Substitution
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible DLL Search Order Hijacking - DLL extracted from an internet-downloaded archive
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible DLL Search Order Hijacking - DLL downloaded from an uncommon source
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Unknown DLL was added to the AD FS Global Assembly Cache path Informational Identity Analytics 1 variation
A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)ATT&CK techniques: Hijack Execution Flow (T1574)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Federation Services AnalyticsAttacker's goals: Attackers may inject malicious code into the AD FS server and manipulate the IdentityServer adapters to gain persistence.Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Identify the user or process responsible for the file creation. Verify if the DLL is digitally signed by Microsoft. Compare the modification timestamp of this DLL against others in the same directory.Variations
Suspicious DLL was added to the AD FS Global Assembly Cache path
Low overridden
A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment. overridden
Unsigned DLL Hijack into a Microsoft process Informational 7 variations
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed
Medium overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.In addition, The Microsoft process which commonly loads the module as signed,had loaded the module as unsigned, which might indicate an attacker targeting a popular module name. overridden
Rare and unsigned DLL into an injected Microsoft process
Medium overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack of a low entropy DLL into a Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack of a high entropy DLL into a Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a recently created Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a Microsoft process which was executed by a scheduled task
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Side-Loading Informational 6 variations
A signed process loaded an unsigned and rare module from the same folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
DLL Side-Loading of module bearing an invalid Microsoft signature
High overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor
Medium overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading to a signed microsoft process
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading - DLL downloaded from an uncommon source
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned high entropy DLL Side-Loading by untrusted causality actor
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading which was executed by a scheduled task
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unusual process access to ld.so.preload file Medium
Attackers can modify ld.so.preload to inject malicious code into every dynamically linked process, enabling persistence and code execution. This detected operation is considered atypical in terms of access.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: This allows attackers to inject malicious code into system processes, gain persistence, code injection, evade detection, and potentially escalate privileges.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow. Download the /etc/ld.so.preload file from the host and see if and what libraries are specified there. Download any library specified and see if it's benign.