DLL hijacking behaviors including unexpected DLL loads from non-standard directories, replacement of DLLs, phantom DLL insertion, redirection file creation, and substitution of legitimate DLLs. Defender correlates file system modifications, registry changes, and module load telemetry to detect abnormal DLL behavior in trusted processes.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| AllowedDllPaths | Known safe DLL directories to suppress false positives (e.g., C:\Windows\System32). |
| ProcessAllowList | Applications expected to load DLLs from non-standard locations (e.g., development tools). |
| TimeWindow | Correlation interval between DLL file creation, registry changes, and module load. |
| HashBaseline | Baseline hashes for legitimate DLLs used to detect substitution. |