Skip to content

DS0011 Module

Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries12

Item Value
ID DS0011
Platforms Linux, Windows, macOS
Collection Layers Host
Version 1.0
Created 20 October 2021
Last Modified 30 March 2022

Data Components

Module Load

Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)

Domain ID Name
enterprise T1547 Boot or Logon Autostart Execution
enterprise T1547.002 Authentication Package
enterprise T1547.003 Time Providers
enterprise T1547.004 Winlogon Helper DLL
enterprise T1547.005 Security Support Provider
enterprise T1547.008 LSASS Driver
enterprise T1547.010 Port Monitors
enterprise T1547.012 Print Processors
enterprise T1059 Command and Scripting Interpreter
enterprise T1059.001 PowerShell
enterprise T1059.005 Visual Basic
enterprise T1059.007 JavaScript
enterprise T1546 Event Triggered Execution
enterprise T1546.006 LC_LOAD_DYLIB Addition
enterprise T1546.007 Netsh Helper DLL
enterprise T1546.009 AppCert DLLs
enterprise T1546.010 AppInit DLLs
enterprise T1546.011 Application Shimming
enterprise T1546.015 Component Object Model Hijacking
ics T0823 Graphical User Interface
enterprise T1574 Hijack Execution Flow
enterprise T1574.001 DLL Search Order Hijacking
enterprise T1574.002 DLL Side-Loading
enterprise T1574.004 Dylib Hijacking
enterprise T1574.005 Executable Installer File Permissions Weakness
enterprise T1574.006 Dynamic Linker Hijacking
enterprise T1574.012 COR_PROFILER
enterprise T1559 Inter-Process Communication
enterprise T1559.001 Component Object Model
enterprise T1559.002 Dynamic Data Exchange
enterprise T1556 Modify Authentication Process
enterprise T1556.002 Password Filter DLL
enterprise T1556.007 Hybrid Identity
enterprise T1106 Native API
enterprise T1027 Obfuscated Files or Information
enterprise T1027.007 Dynamic API Resolution
enterprise T1137 Office Application Startup
enterprise T1137.002 Office Test
enterprise T1055 Process Injection
enterprise T1055.001 Dynamic-link Library Injection
enterprise T1055.014 VDSO Hijacking
enterprise T1620 Reflective Code Loading
enterprise T1021 Remote Services
enterprise T1021.003 Distributed Component Object Model
ics T0886 Remote Services
ics T0853 Scripting
enterprise T1505 Server Software Component
enterprise T1505.005 Terminal Services DLL
enterprise T1129 Shared Modules
enterprise T1553 Subvert Trust Controls
enterprise T1553.003 SIP and Trust Provider Hijacking
enterprise T1218 System Binary Proxy Execution
enterprise T1218.002 Control Panel
enterprise T1218.007 Msiexec
enterprise T1218.008 Odbcconf
enterprise T1218.010 Regsvr32
enterprise T1218.011 Rundll32
enterprise T1220 XSL Script Processing

References

  1. Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021. 

  2. Microsoft. (n.d.). Module Class. Retrieved September 28, 2021. 

  3. Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018. 

  4. Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. 

  5. Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022. 

  6. Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017. 

  7. Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022. 

  8. Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017. 

  9. Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015. 

  10. Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018. 

  11. Warner, J.. (2015, January 6). Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018. 

  12. Nelson, M. (2017, November 16). Lateral Movement using Outlook’s CreateObject Method and DotNetToJScript. Retrieved November 21, 2017. 

  13. Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021. 

  14. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. 

  15. Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls. Retrieved December 18, 2017. 

  16. Lundgren, S. (2017, October 28). w32time. Retrieved March 26, 2018. 

  17. Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022. 

  18. Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017. 

  19. Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.