Detects DLL injection through correlation of memory allocation and writing to remote process memory (e.g., VirtualAllocEx, WriteProcessMemory), followed by remote thread creation (e.g., CreateRemoteThread) that loads a suspicious or unsigned DLL using LoadLibrary or reflective loading.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Named Pipe Metadata (DC0048) | WinEventLog:Sysmon | EventCode=17 |
| Field | Description |
|---|---|
| InjectedDLLSignatureStatus | Whether the DLL is unsigned, untrusted, or loaded from a non-standard path |
| TimeWindow | Temporal correlation threshold between memory operations and thread creation |
| TargetProcessList | List of sensitive or high-value processes targeted for injection (e.g., explorer.exe, winlogon.exe) |
| ParentProcessAnomalyThreshold | Degree of deviation from expected parent-child lineage |