Module

Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries^[1]^[2]

ID: DS0011

ⓘ

Platforms: Linux, Windows, macOS

ⓘ

Collection Layer: Host

Contributors: Center for Threat-Informed Defense (CTID)

Version: 1.0

Created: 20 October 2021

Last Modified: 10 November 2021

Data Components

Module: Module Load

Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)

Module: Module Load

Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)

Domain	ID		Name
Enterprise	T1547		Boot or Logon Autostart Execution
		.002	Authentication Package
		.003	Time Providers
		.004	Winlogon Helper DLL
		.005	Security Support Provider
		.008	LSASS Driver
		.010	Port Monitors
		.012	Print Processors
Enterprise	T1059		Command and Scripting Interpreter
		.001	PowerShell
		.005	Visual Basic
		.007	JavaScript
Enterprise	T1546		Event Triggered Execution
		.006	LC_LOAD_DYLIB Addition
		.007	Netsh Helper DLL
		.009	AppCert DLLs
		.010	AppInit DLLs
		.011	Application Shimming
		.015	Component Object Model Hijacking
Enterprise	T1574		Hijack Execution Flow
		.001	DLL Search Order Hijacking
		.002	DLL Side-Loading
		.004	Dylib Hijacking
		.005	Executable Installer File Permissions Weakness
		.006	Dynamic Linker Hijacking
		.012	COR_PROFILER
Enterprise	T1559		Inter-Process Communication
		.001	Component Object Model
		.002	Dynamic Data Exchange
Enterprise	T1556		Modify Authentication Process
		.002	Password Filter DLL
Enterprise	T1106		Native API
Enterprise	T1137		Office Application Startup
		.002	Office Test
Enterprise	T1055		Process Injection
		.001	Dynamic-link Library Injection
		.014	VDSO Hijacking
Enterprise	T1620		Reflective Code Loading
Enterprise	T1021		Remote Services
		.003	Distributed Component Object Model
Enterprise	T1129		Shared Modules
Enterprise	T1218		Signed Binary Proxy Execution
		.002	Control Panel
		.007	Msiexec
		.008	Odbcconf
		.010	Regsvr32
		.011	Rundll32
Enterprise	T1553		Subvert Trust Controls
		.003	SIP and Trust Provider Hijacking
Enterprise	T1220		XSL Script Processing

References

Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.

Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.