DLL Load By System Process From Suspicious Locations (9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c)
Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| DLL Load By System Process From Suspicious Locations (9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c) | Sigma-Rules | Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) | Attack Pattern | 1 |