DET0389 Behavioral Detection of DLL Injection via Windows API

Item	Value
ID	DET0389
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1055.001 (Dynamic-link Library Injection)

Analytics

Windows

AN1095

Detects DLL injection through correlation of memory allocation and writing to remote process memory (e.g., VirtualAllocEx, WriteProcessMemory), followed by remote thread creation (e.g., CreateRemoteThread) that loads a suspicious or unsigned DLL using LoadLibrary or reflective loading.

Log Sources

Data Component	Name	Channel
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Named Pipe Metadata (DC0048)	WinEventLog:Sysmon	EventCode=17

Mutable Elements

Field	Description
InjectedDLLSignatureStatus	Whether the DLL is unsigned, untrusted, or loaded from a non-standard path
TimeWindow	Temporal correlation threshold between memory operations and thread creation
TargetProcessList	List of sensitive or high-value processes targeted for injection (e.g., explorer.exe, winlogon.exe)
ParentProcessAnomalyThreshold	Degree of deviation from expected parent-child lineage