DET0201 Detection Strategy for Hijack Execution Flow for DLLs

Item	Value
ID	DET0201
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1574.001 (DLL)

Analytics

Windows

AN0577

DLL hijacking behaviors including unexpected DLL loads from non-standard directories, replacement of DLLs, phantom DLL insertion, redirection file creation, and substitution of legitimate DLLs. Defender correlates file system modifications, registry changes, and module load telemetry to detect abnormal DLL behavior in trusted processes.

Log Sources

Data Component	Name	Channel
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
File Metadata (DC0059)	WinEventLog:Sysmon	EventCode=15
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Windows Registry Key Modification (DC0063)	WinEventLog:Security	EventCode=4657
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
AllowedDllPaths	Known safe DLL directories to suppress false positives (e.g., C:\Windows\System32).
ProcessAllowList	Applications expected to load DLLs from non-standard locations (e.g., development tools).
TimeWindow	Correlation interval between DLL file creation, registry changes, and module load.
HashBaseline	Baseline hashes for legitimate DLLs used to detect substitution.