DLLs

LSASS Driver

Execution, Persistence

Monitor DLL load operations in lsass.exe

SELECT DLLName 
WHERE Process CONTAINS lsass

Mitre - LSASS Driver

AppCert DLLs

Persistence, Privilege Escalation

Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process.

SELECT DLLName, Process 
GROUP BY DLLName

Mitre - AppCert DLLs

AppInit DLLs

Persistence, Privilege Escalation

Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process.

SELECT Process 
WHERE DLLName CONTAINS user32

Mitre - AppInit DLLs

DLL Search Order Hijacking

Defense Evasion, Persistence, Privilege Escalation

Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious.

SELECT *

Mitre - DLL Search Order Hijacking

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DLLs

LSASS Driver

AppCert DLLs

AppInit DLLs

DLL Search Order Hijacking

Clone this wiki locally