-
Notifications
You must be signed in to change notification settings - Fork 82
DLLs
Tony Phipps edited this page Mar 16, 2018
·
5 revisions
Tactic: Execution, Persistence
- Select DLLName where Process contains lsass
Monitor DLL load operations in lsass.exe
Tactic: Persistence, Privilege Escalation
- Select DLLName, Process aggregated by DLLName
Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process.
Tactic: Persistence, Privilege Escalation
- Select Process where DLLName contains user32
Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process.