1. Home
  2. Data Components
  3. Module Load

Module Load

When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.

Data Collection Measures:

  • Event Logging (Windows):
    • Sysmon Event ID 7: Logs when a DLL is loaded into a process.
    • Windows Security Event ID 4688: Captures process creation events, often useful for correlating module loads.
    • Windows Defender ATP: Can provide visibility into suspicious module loads.
  • Event Logging (Linux/macOS):
    • AuditD (execve and open syscalls): Captures when shared libraries (.so files) are loaded.
    • Ltrace/Strace: Monitors process behavior, including library calls (dlopen, execve).
    • MacOS Endpoint Security Framework (ESF): Monitors library loads (ES_EVENT_TYPE_NOTIFY_DYLD_INSERT_LIBRARIES).
  • Endpoint Detection & Response (EDR):
    • Provide real-time telemetry on module loads and process injections.
    • Sysinternals Process Monitor (procmon): Captures loaded modules and their execution context.
  • Memory Forensics:
    • Volatility Framework (malfind, ldrmodules): Detects injected DLLs and anomalous module loads.
    • Rekall Framework: Useful for kernel-mode module detection.
  • SIEM and Log Analysis:
    • Centralized log aggregation to correlate suspicious module loads across the environment.
    • Detection rules using correlation searches and behavioral analytics.
ID: DC0016
Domains: ICS, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
auditd:file-events open of suspicious .so from non-standard paths
auditd:MMAP load: Loading of libzip.so, libz.so, or libbz2.so by processes not normally associated with archiving
auditd:SYSCALL openat/read/mmap: Open/mmap .so files from non-standard paths
auditd:SYSCALL LD_PRELOAD Logging
auditd:SYSCALL mmap
auditd:SYSCALL dmesg
auditd:SYSCALL module load or memory map path
esxi:vmkernel unexpected module load
esxi:vmkernel module load
ETW:LoadImage provider: ETW LoadImage events for images from user-writable/UNC paths
etw:Microsoft-Windows-Kernel-ImageLoad provider: Unsigned/user-writable image loads into msbuild.exe
linux:osquery select: Open files path LIKE '/tmp/%.so' OR '/dev/shm/%.so'
linux:osquery Dynamic Linking State
linux:osquery Process linked with libcrypto.so making external connections
linux:osquery Processes linked with libssl/libcrypto performing network activity
linux:syslog kmod
linux:Sysmon EventCode=7
m365:unified Non-standard Office startup component detected (e.g., unexpected DLL path)
macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_KEXTLOAD
macos:osquery select: path LIKE '%/Library/%/*.dylib' OR '/tmp/*.dylib'
macos:syslog DYLD_INSERT_LIBRARIES anomalies
macos:unifiedlog dyld/unified log entries indicating image load from non-system paths
macos:unifiedlog dynamic loading of sleep-related functions or sandbox detection libraries
macos:unifiedlog DYLD event subsystem
macos:unifiedlog process execution events with dylib load activity
macos:unifiedlog Process memory maps new dylib (dylib_load event)
macos:unifiedlog Dylib loaded from abnormal location
macos:unifiedlog Loading of libz.dylib, libarchive.dylib by non-standard applications
macos:unifiedlog suspicious dlopen/dlsym usage in non-development processes
macos:unifiedlog delay/sleep library usage in user context
macos:unifiedlog subsystem=com.apple.kextd
macos:unifiedlog loading of unexpected dylibs compared to historical baselines
macos:unifiedlog launch and dylib load
Module None
snmp:status Status change in cryptographic hardware modules (enabled -> disabled)
WinEventLog:Application CLR Assembly creation, loading, or modification logs via MSSQL CLR integration
WinEventLog:Security EventCode=3033
WinEventLog:Security EventCode=3063
WinEventLog:Sysmon EventCode=7

Detection Strategy

ID Name Technique Detected
DET0455 Abuse of PowerShell for Arbitrary Execution T1059.001
DET0556 Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows) T1127.001
DET0191 Behavior-chain detection strategy for T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce (Windows) T1127.002
DET0151 Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery T1124
DET0197 Behavior-chain, platform-aware detection strategy for T1125 Video Capture T1125
DET0172 Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows) T1127
DET0018 Behavior-chain, platform-aware detection strategy for T1129 Shared Modules T1129
DET0537 Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run) T1195
DET0389 Behavioral Detection of DLL Injection via Windows API T1055.001
DET0529 Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls T1106
DET0508 Behavioral Detection of Process Injection Across Platforms T1055
DET0076 Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript) T1059.005
DET0202 Behavioral Detection of Windows Command Shell Execution T1059.003
DET0309 Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly) T1195.002
DET0264 Cross-Platform Detection of JavaScript Execution Abuse T1059.007
DET0224 Detect Abuse of Component Object Model (T1559.001) T1559.001
DET0504 Detect Abuse of Dynamic Data Exchange (T1559.002) T1559.002
DET0122 Detect Abuse of Windows Time Providers for Persistence T1547.003
DET0526 Detect Archiving and Encryption of Collected Data (T1560) T1560
DET0268 Detect Archiving via Library (T1560.002) T1560.002
DET0298 Detect Archiving via Utility (T1560.001) T1560.001
DET0507 Detect browser session hijacking via privilege, handle access, and remote thread into browsers T1185
DET0336 Detect Compromise of Host Software Binaries T1554
DET0271 Detect Domain Controller Authentication Process Modification (Skeleton Key) T1556.001
DET0293 Detect Hybrid Identity Authentication Process Modification T1556.007
DET0207 Detect LSA Authentication Package Persistence via Registry and LSASS DLL Load T1547.002
DET0472 Detect Malicious Password Filter DLL Registration T1556.002
DET0104 Detect Modification of Authentication Processes Across Platforms T1556
DET0580 Detect Network Provider DLL Registration and Credential Capture T1556.008
DET0095 Detect Persistence via Malicious Outlook Rules T1137.005
DET0315 Detect Persistence via Office Test Registry DLL Injection T1137.002
DET0029 Detect Persistence via Outlook Custom Forms Triggered by Malicious Email T1137.003
DET0177 Detect Persistence via Outlook Home Page Exploitation T1137.004
DET0346 Detect Screen Capture via Commands and API Calls T1113
DET0230 Detect Suspicious or Malicious Code Signing Abuse T1553.002
DET0141 Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution T1497.003
DET0225 Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows) T1547.008
DET0069 Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network) T1200
DET0404 Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows T1547.004
DET0086 Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation T1546.003
DET0205 Detect XSL Script Abuse via msxsl and wmic T1220
DET0361 Detecting .NET COM Registration Abuse via Regsvcs/Regasm T1218.009
DET0433 Detecting Code Injection via mavinject.exe (App-V Injector) T1218.013
DET0025 Detecting Electron Application Abuse for Proxy Execution T1218.015
DET0222 Detecting MMC (.msc) Proxy Execution and Malicious COM Activation T1218.014
DET0486 Detecting Odbcconf Proxy Execution of Malicious DLLs T1218.008
DET0440 Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse T1216.002
DET0528 Detecting Remote Script Proxy Execution via PubPrn.vbs T1216.001
DET0139 Detection of Credential Harvesting via API Hooking T1056.004
DET0007 Detection of Domain Trust Discovery via API, Script, and CLI Enumeration T1482
DET0772 Detection of Graphical User Interface T0823
DET0377 Detection of Kernel/User-Level Rootkit Behavior Across Platforms T1014
DET0437 Detection of LSA Secrets Dumping via Registry and Memory Extraction T1003.004
DET0138 Detection of Malicious Code Execution via InstallUtil.exe T1218.004
DET0194 Detection of Malicious Control Panel Item Execution via control.exe or Rundll32 T1218.002
DET0158 Detection of Msiexec Abuse for Local, Network, and DLL Execution T1218.007
DET0081 Detection of Proxy Execution via Trusted Signed Binaries Across Platforms T1218
DET0804 Detection of Remote Services T0886
DET0466 Detection of Script-Based Proxy Execution via Signed Microsoft Utilities T1216
DET0735 Detection of Scripting T0853
DET0342 Detection of Suspicious Compiled HTML File Execution via hh.exe T1218.001
DET0362 Detection Strategy for AppCert DLLs Persistence via Registry Injection T1546.009
DET0017 Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows) T1546.011
DET0091 Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups T1027.007
DET0273 Detection Strategy for Encrypted Channel across OS Platforms T1573
DET0543 Detection Strategy for Encrypted Channel via Asymmetric Cryptography across OS Platforms T1573.002
DET0143 Detection Strategy for Encrypted Channel via Symmetric Cryptography across OS Platforms T1573.001
DET0557 Detection Strategy for Event Triggered Execution: AppInit DLLs (Windows) T1546.010
DET0595 Detection Strategy for Exploitation for Defense Evasion T1211
DET0514 Detection Strategy for Exploitation for Privilege Escalation T1068
DET0218 Detection Strategy for Hijack Execution Flow across OS platforms. T1574
DET0201 Detection Strategy for Hijack Execution Flow for DLLs T1574.001
DET0517 Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows. T1574.014
DET0038 Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness T1574.005
DET0479 Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER. T1574.012
DET0152 Detection Strategy for Hijack Execution Flow: Dylib Hijacking T1574.004
DET0435 Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking T1574.006
DET0216 Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS T1546.006
DET0347 Detection Strategy for Masquerading via Legitimate Resource Name or Location T1036.005
DET0575 Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows) T1546.007
DET0324 Detection Strategy for Polymorphic Code Mutation and Execution T1027.014
DET0300 Detection Strategy for Reflective Code Loading T1620
DET0181 Detection Strategy for SQL Stored Procedures Abuse via T1505.001 T1505.001
DET0442 Detection Strategy for Subvert Trust Controls using SIP and Trust Provider Hijacking. T1553.003
DET0282 Detection Strategy for System Binary Proxy Execution: Regsvr32 T1218.010
DET0475 Detection Strategy for T1218.011 Rundll32 Abuse T1218.011
DET0042 Detection Strategy for T1218.012 Verclsid Abuse T1218.012
DET0046 Detection Strategy for T1497 Virtualization/Sandbox Evasion T1497
DET0166 Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux) T1505.002
DET0068 Detection Strategy for T1505.004 - Malicious IIS Components T1505.004
DET0212 Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows) T1505.005
DET0204 Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows) T1547.010
DET0388 Detection Strategy for T1548.002 – Bypass User Account Control (UAC) T1548.002
DET0352 Detection Strategy for T1550.003 - Pass the Ticket (Windows) T1550.003
DET0467 Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing T1055.005
DET0448 Detection Strategy for VDSO Hijacking on Linux T1055.014
DET0339 Detection Strategy for Weaken Encryption on Network Devices T1600
DET0087 Encrypted or Encoded File Payload Detection Strategy T1027.013
DET0474 Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy T1480.001
DET0080 Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress) T1190
DET0118 Exploitation of Remote Services – multi-platform lateral movement detection T1210
DET0368 Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks T1195.003
DET0285 Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution T1021.003
DET0372 Multi-Platform Detection Strategy for T1678 - Delay Execution T1678
DET0562 Multi-Platform Execution Guardrails Environmental Validation Detection Strategy T1480
DET0542 Registry and LSASS Monitoring for Security Support Provider Abuse T1547.005
DET0016 Security Software Discovery Across Platforms T1518.001
DET0162 Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002) T1205.002
DET0009 Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress) T1195.001
DET0168 Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS T1497.001
DET0481 Windows COM Hijacking Detection via Registry and DLL Load Correlation T1546.015
DET0026 Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence T1547.012