Analytics Alerts
Browse the Cortex analytics alert reference.
8 alerts match the current filters. tactic: TA0005 ✕ technique: T1574 ✕
Show ATT&CK heatmapA rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process Informational 8 variations
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
A rare DLL, signed by an uncommon vendor, was hijacked into an injected Microsoft process
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by untrusted causality actor
Medium overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was downloaded from an uncommon source and was loaded into Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by a rarely seen vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare and high entropy DLL, signed by an uncommon vendor, was hijacked into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a newly created Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was sideloaded into a Microsoft process
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
A rare DLL, signed by an uncommon vendor, was hijacked into a Microsoft process which was executed by a scheduled task
Low overridden
A signed DLL was loaded into a Microsoft-signed process. This DLL hash and signature vendor are rare, which might indicate an attacker performing DLL hijacking. overridden
Globally uncommon image load from a signed process Informational 5 variations
A signed process loaded a DLL that, on a global level, it usually doesn't load.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: System Binary Proxy Execution (T1218) Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: Global Anomaly Analytics, DLL Hijacking AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check if the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon image load from a signed process from a known vendor
Medium overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon unsigned image side loaded to a signed process
Medium overridden
A signed process side loaded an unsigned DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon and very rare image load from a signed process
Medium overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon image load from an injected thread in a signed process
Low overridden
An injected thread in a signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Globally uncommon DLL was downloaded from an uncommon source and loaded by a signed process
Low overridden
A signed process loaded a DLL that, on a global level, it usually doesn't load. overridden
Modification of the AD FS IdentityServer configuration file Informational Identity Analytics 1 variation
The AD FS service configuration file was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow (T1574)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Active Directory Federation Services AnalyticsAttacker's goals: The attacker's goal is to establish a persistent, high-privilege backdoor by forcing the service to load a malicious configuration that enables remote code execution and the bypass of security controls like MFA.Investigative actions: Check if the AD FS service was stopped or restarted around the time of modification. Investigate the process and user that performed the write operation for signs of compromise.Variations
Suspicious Modification of the AD FS IdentityServer configuration file
Low overridden
The AD FS service configuration file was modified. overridden
Possible DLL Hijack into a Microsoft process Informational 6 variations
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Possible DLL Hijack of a low entropy DLL into a Microsoft process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Side-Loading into a Microsoft process from a suspicious folder
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
DLL Hijack into a Microsoft process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft development or framework related process
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft process - the DLL was extracted from an internet-downloaded archive
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source
Informational overridden
An unsigned DLL was loaded into a Microsoft signed process.This DLL name is usually signed by Microsoft, which might indicate an attacker performing DLL Hijacking. overridden
Possible DLL Search Order Hijacking Low 3 variations
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) Hijack Execution Flow: Path Interception by PATH Environment Variable (T1574.007) Hijack Execution Flow: Path Interception by Unquoted Path (T1574.009) Hijack Execution Flow: Path Interception by Search Order Hijacking (T1574.008)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Possible DLL Search Order Hijacking by DLL Substitution
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible DLL Search Order Hijacking - DLL extracted from an internet-downloaded archive
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Possible DLL Search Order Hijacking - DLL downloaded from an uncommon source
Low overridden
An attacker might abuse the Windows DLL search order to trigger known, signed processes to load the attacker's malicious module. overridden
Uncommon DLL-sideloading from a logical CD-ROM (ISO) device Medium
A DLL was loaded by an executable from the same folder on a logical CD-ROM device (ISO).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Defense Evasion (TA0005) Privilege Escalation (TA0004)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001) User Execution: Malicious File (T1204.002)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load untrusted code into trusted contexts to avoid detection or escalate privileges.Investigative actions: Investigate the loaded module and verify if it is malicious. Check if the disk is a mounted CD-ROM (for example from an ISO file), and if it contains hidden files and folders. Check the content of an 'autorun.inf' or '.lnk' files if they exist.Unsigned DLL Hijack into a Microsoft process Informational 7 variations
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
Unsigned DLL Hijack into a recently created Microsoft process which commonly loads the module as signed
Medium overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking.In addition, The Microsoft process which commonly loads the module as signed,had loaded the module as unsigned, which might indicate an attacker targeting a popular module name. overridden
Rare and unsigned DLL into an injected Microsoft process
Medium overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack of a low entropy DLL into a Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack of a high entropy DLL into a Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a Microsoft process - the DLL downloaded from an uncommon source
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a recently created Microsoft process
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Hijack into a Microsoft process which was executed by a scheduled task
Low overridden
An unsigned DLL was loaded into a Microsoft signed process.It is not common for the DLL to be loaded into Microsoft processes, which might indicate an attacker performing DLL Hijacking. overridden
Unsigned DLL Side-Loading Informational 6 variations
A signed process loaded an unsigned and rare module from the same folder.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005)ATT&CK techniques: Hijack Execution Flow: DLL (T1574.001)Required data: XDR AgentDetector tags: DLL Hijacking AnalyticsAttacker's goals: An attacker is attempting to load an untrusted module into a trusted context to avoid detection, gain persistence or to perform privilege escalation.Investigative actions: Investigate the loaded module to verify if it is malicious. Investigate if the loading process and the loaded module reside in legitimate locations.Variations
DLL Side-Loading of module bearing an invalid Microsoft signature
High overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading to a signed microsoft process by a rare causality actor
Medium overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading to a signed microsoft process
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading - DLL downloaded from an uncommon source
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned high entropy DLL Side-Loading by untrusted causality actor
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden
Unsigned DLL Side-Loading which was executed by a scheduled task
Low overridden
A signed process loaded an unsigned and rare module from the same folder. overridden