Module

Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries[1][2]

ID: DS0011
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

Module: Module Load

Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)

Module: Module Load

Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)

Domain ID Name Detects
Enterprise T1547 Boot or Logon Autostart Execution

Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.

.002 Authentication Package

Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe with AuditLevel = 8. [3] [4]

.003 Time Providers

There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. [5]

.004 Winlogon Helper DLL

New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

.005 Security Support Provider

Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe with AuditLevel = 8. [3] [4]

.008 LSASS Driver

Also monitor DLL load operations in lsass.exe. [6]

.010 Port Monitors

Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.

.012 Print Processors

Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. New print processor DLLs are written to the print processor directory.

Enterprise T1059 Command and Scripting Interpreter

Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll).

.001 PowerShell

Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).[7][8]

Analytic 1 - Processes loading PowerShell assemblies

suspicious_processes = filter ProcessGuid, ProcessFilePath, ModulePath, FileDescription where EventId == "7" AND (ModulePath LIKE '%system.management.automation%' OR FileDescription LIKE '%system.management.automation%')

.005 Visual Basic

Monitor for the loading of modules associated with VB languages (ex: vbscript.dll).

Note: For Windows, Sysmon Event ID 7 (Image loaded) can be used to alert on the loading of DLL modules (e.g., vbscript.dll) associated with Visual Basic into processes. Due to the high frequency of image load operations, Event ID 7 can generate a large volume of events. Therefore, we recommend tuning the Sysmon configuration file to exclude common, benign image loads that may result in false positives.

.007 JavaScript

Monitor for the loading of modules associated with scripting languages (ex: JScript.dll).

Enterprise T1546 Event Triggered Execution

Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.

.006 LC_LOAD_DYLIB Addition

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

.007 Netsh Helper DLL

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

.009 AppCert DLLs

Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Tools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. [9] [10]

.010 AppInit DLLs

Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process.

.011 Application Shimming

Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process.

.015 Component Object Model Hijacking

Likewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed.

ICS T0823 Graphical User Interface

Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. Remote Services may be used to access a host’s GUI.

Enterprise T1574 Hijack Execution Flow

Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths.

.001 DLL Search Order Hijacking

Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths.

.002 DLL Side-Loading

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

.004 Dylib Hijacking

Monitor for dynamic libraries being loaded. Run path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, and LC_RPATH. Other special keywords are recognized by the macOS loader are @rpath, @loader_path, and @executable_path.[11] These loader instructions can be examined for individual binaries or frameworks using the otool -l command. Objective-See's Dylib Hijacking Scanner can be used to identify applications vulnerable to dylib hijacking

.005 Executable Installer File Permissions Weakness

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

.006 Dynamic Linker Hijacking

Monitor library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

.012 COR_PROFILER

Monitor DLL files that are associated with COR_PROFILER environment variables.

Enterprise T1559 Inter-Process Communication

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

.001 Component Object Model

Monitor for COM objects loading DLLs and other modules not typically associated with the application.[12]

.002 Dynamic Data Exchange

Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe).

Enterprise T1556 Modify Authentication Process

Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Password filters will also show up as an autorun and loaded DLL in lsass.exe.[13] If AD FS is in use, monitor the AD FS server for the creation of DLLs as well as the loading of unrecognized or unsigned DLLs into the Microsoft.IdentityServer.Servicehost application.[14]

.002 Password Filter DLL

Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Password filters will also show up as an autorun and loaded DLL in lsass.exe.[13]

.007 Hybrid Identity

Monitor the hybrid identity solution in use for the loading of unauthorized DLLs. For example, monitor all PTA agent servers for the creation of DLLs as well as the loading of DLLs into the AzureADConnectAuthenticationAgentService process.[15] If AD FS is in use, monitor the AD FS server for the creation of DLLs as well as the loading of unrecognized or unsigned DLLs into the Microsoft.IdentityServer.Servicehost application.[14]

Enterprise T1106 Native API

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Utilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity.

Enterprise T1027 Obfuscated Files or Information

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[16]

.007 Dynamic API Resolution

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated API function calls. Dynamic malware analysis may also expose signs of function obfuscation, such as memory reads that correspond to addresses of API function code within modules.[16]

Enterprise T1137 Office Application Startup

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

.002 Office Test

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

Enterprise T1055 Process Injection

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

.001 Dynamic-link Library Injection

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. Sysmon Event ID 7 (Image loaded) can be used to monitor the loading of DLLs into processes. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign processes and module loads to help reduce the number of events that are produced.

.014 VDSO Hijacking

Monitor library load events, especially unusual creation of these binary files followed by loading into processes. Look for libraries that are not recognized or not normally loaded into a process.

Enterprise T1620 Reflective Code Loading

Monitor for artifacts of abnormal process execution. For example, a common signature related to reflective code loading on Windows is mechanisms related to the .NET Common Language Runtime (CLR) -- such as mscor.dll, mscoree.dll, and clr.dll -- loading into abnormal processes (such as notepad.exe)

Enterprise T1021 Remote Services

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes, that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

Note: On Windows, Sysmon Event ID 7 (Image loaded) can be used to monitor the loading of DLLs into processes, including those designed to accept remote connections. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign processes and module to help reduce the number of events that are produced.

.003 Distributed Component Object Model

Monitor for COM objects loading DLLs and other modules not typically associated with the application.[17]

Note: Sysmon Event ID 7 (Image loaded) can be used to monitor for suspicious DLLs loaded by the DCOM Server Process Launcher which runs inside of svchost.exe. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign svchost.exe module loads that occur as part of its typical operation.

ICS T0886 Remote Services

Monitor DLL file events, specifically creation of these files as well as the loading of DLLs into processes specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.

ICS T0853 Scripting

Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (e.g., JScript.dll, vbscript.dll).

Enterprise T1505 .005 Server Software Component: Terminal Services DLL

Monitor module loads by the Terminal Services process (ex: svchost.exe -k termsvcs) for unexpected DLLs (the default is %SystemRoot%\System32\termsrv.dll, though an adversary could also use Match Legitimate Name or Location to potentially conceal a malicious payload).

Enterprise T1129 Shared Modules

Monitoring module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of shared modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled, or system modules such that deviation from known module loads may be suspicious

Limiting module loads to trusted directories, such as %SystemRoot% and %ProgramFiles% on Windows, may protect against module loads from unsafe paths.

Enterprise T1553 Subvert Trust Controls

Enable CryptoAPI v2 (CAPI) event logging [18] to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). [19]

.003 SIP and Trust Provider Hijacking

Enable CryptoAPI v2 (CAPI) event logging [18] to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). [19]

Enterprise T1218 System Binary Proxy Execution

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

.002 Control Panel

Monitor for DLL/PE file events, such as the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll.

.007 Msiexec

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

.008 Odbcconf

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

.010 Regsvr32

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

.011 Rundll32

Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls. Static Portable Executable (PE) analysis tools can be used to examine and dump the exports of a particular DLL.

Enterprise T1220 XSL Script Processing

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

References