Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

7 alerts match the current filters. tactic: TA0004 ✕ technique: T1574 ✕

Show ATT&CK heatmap
  • A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process Informational 8 variations

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process

    Medium overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by untrusted causality actor

    Medium overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

    A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by a scheduled task

    Low overridden

    A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden

  • Possible DLL Hijack into a Microsoft process Informational 6 variations

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Possible DLL Hijack of a low entropy DLL into a Microsoft process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Side-Loading into a Microsoft process from a suspicious folder

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    DLL Hijack into a Microsoft process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft development or framework related process

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft process - the DLL was extracted from an internet-downloaded archive

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

    Possible DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source

    Informational overridden

    An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden

  • Possible DLL Search Order Hijacking Low 3 variations

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) Hijack Execution Flow: Path Interception by PATH Environment Variable (T1574.007) Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009) Hijack Execution Flow: Path Interception by Search Order Hijacking (T1574.008)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Possible DLL Search Order Hijacking by DLL Substitution

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

    Possible DLL Search Order Hijacking - DLL extracted from an internet-downloaded archive

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

    Possible DLL Search Order Hijacking - DLL downloaded from an uncommon source

    Low overridden

    An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden

  • Uncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium

    A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.
    Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.
  • Unknown DLL was added to the AD FS Global Assembly Cache path Informational Identity Analytics 1 variation

    A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004)
    ATT&CK techniques: Hijack Execution Flow (T1574)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Active Directory Federation Services Analytics
    Attacker's goals: Attackers may inject malicious code into the AD FS server and manipulate the IdentityServer adapters to gain persistence.
    Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Identify the user or process responsible for the file creation. Verify if the DLL is digitally signed by Microsoft. Compare the modification timestamp of this DLL against others in the same directory.

    Variations

    Suspicious DLL was added to the AD FS Global Assembly Cache path

    Low overridden

    A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment. overridden

  • Unsigned DLL Hijack into a Microsoft process Informational 7 variations

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed

    Medium overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.In addition, The Microsoft process which commonly loads the module as signed,had loaded the module as unsigned, which might indicate an attacker targeting a popular module name. overridden

    Rare and unsigned DLL into an injected Microsoft process

    Medium overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack of a low entropy DLL into a Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack of a high entropy DLL into a Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a recently created Microsoft process

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

    Unsigned DLL Hijack into a Microsoft process which was executed by a scheduled task

    Low overridden

    An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden

  • Unsigned DLL Side-Loading Informational 6 variations

    A signed process loaded an unsigned and rare module from the same folder.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)
    ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)
    Required data: XDR Agent
    Detector tags: DLL Hijacking Analytics
    Attacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.
    Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.

    Variations

    DLL Side-Loading of module bearing an invalid Microsoft signature

    High overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor

    Medium overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading to a signed microsoft process

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading - DLL downloaded from an uncommon source

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned high entropy DLL Side-Loading by untrusted causality actor

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden

    Unsigned DLL Side-Loading which was executed by a scheduled task

    Low overridden

    A signed process loaded an unsigned and rare module from the same folder. overridden