Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0004 ✕ technique: T1204 ✕
Show ATT&CK heatmapUncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium
A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.