{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dll-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dll-injection","chrome-hijacking","com-abuse","supply-chain"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe GlassWorm threat involves sophisticated techniques like DLL injection and Chrome hijacking through COM abuse. Analysis confirms a full supply chain loop, indicating a well-coordinated and potentially widespread attack. The specifics of initial compromise and broader targeting remain unclear, but the technical capabilities displayed suggest a threat actor with significant resources and expertise. This threat necessitates immediate attention from detection engineering teams to identify and mitigate potential intrusions within their environments. The confirmation of a full supply chain loop also highlights the potential for widespread compromise affecting numerous downstream victims.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise occurs through an unidentified vector, potentially involving a supply chain attack.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the system through an unknown method.\u003c/li\u003e\n\u003cli\u003eMalicious code is injected into a legitimate process using DLL injection.\u003c/li\u003e\n\u003cli\u003eThe injected DLL targets Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe attacker abuses COM objects to hijack Chrome functionality.\u003c/li\u003e\n\u003cli\u003eThe hijacked Chrome instance is used to steal user credentials and sensitive data.\u003c/li\u003e\n\u003cli\u003eExfiltrated data is sent to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains a foothold for further exploitation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful GlassWorm attack can lead to the compromise of sensitive data, including user credentials, financial information, and proprietary data. The Chrome hijacking aspect allows attackers to monitor user activity, intercept communications, and potentially inject malicious content into web pages. The confirmation of a full supply chain loop suggests the potential for a large number of victims, depending on the scope and duration of the attack. The sector impact is currently unknown, but any organization relying on Chrome for sensitive operations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for suspicious DLL loads into Chrome processes using the \u0026ldquo;Detect Suspicious Chrome DLL Injection\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any unusual COM object activity associated with Chrome, focusing on unexpected object creation or modification (leverage existing COM auditing capabilities, if available).\u003c/li\u003e\n\u003cli\u003eAnalyze network traffic for unexpected data exfiltration patterns originating from Chrome processes.\u003c/li\u003e\n\u003cli\u003eImplement strong endpoint detection and response (EDR) solutions to detect and prevent DLL injection attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-17T15:03:41Z","date_published":"2026-03-17T15:03:41Z","id":"/briefs/2026-03-glassworm/","summary":"The GlassWorm threat involves DLL injection and Chrome hijacking via COM abuse, confirming a full supply chain loop, potentially leading to data theft and system compromise.","title":"GlassWorm Threat: DLL Injection and Chrome Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-03-glassworm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","execution","windows","dll-injection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers may attempt to load malicious, unsigned DLLs into \u003ccode\u003esvchost.exe\u003c/code\u003e, a legitimate Windows service host process, to maintain persistence or escalate privileges. This technique abuses the shared service host process to execute arbitrary code with SYSTEM privileges. The \u003ccode\u003esvchost.exe\u003c/code\u003e process, which typically hosts multiple Windows services, can be targeted to load malicious DLLs from unusual file paths, potentially bypassing security measures that rely on code signing validation. This is especially concerning because \u003ccode\u003esvchost.exe\u003c/code\u003e is a trusted process, making detection more challenging. The loading of unsigned DLLs by \u003ccode\u003esvchost.exe\u003c/code\u003e from atypical directories is a strong indicator of potential malicious activity, as legitimate Windows services rarely load unsigned libraries from such locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to the system through an undisclosed method (e.g., exploitation of a vulnerability or social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious, unsigned DLL on the compromised system in a non-standard directory like \u003ccode\u003eC:\\ProgramData\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Windows Registry to configure a service hosted by \u003ccode\u003esvchost.exe\u003c/code\u003e to load the malicious DLL. This often involves manipulating service dependencies or service parameters.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the targeted service is manually restarted, causing \u003ccode\u003esvchost.exe\u003c/code\u003e to load the specified DLL.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvchost.exe\u003c/code\u003e executes the code within the malicious DLL, now running with the privileges of the hosted service (typically SYSTEM).\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs actions such as installing backdoors, escalating privileges further, or establishing command and control (C2) communication.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established C2 channel to remotely control the compromised system, exfiltrate data, or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system by ensuring the malicious DLL is loaded each time the service or system starts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain persistent access to the compromised system with elevated (SYSTEM) privileges. This can lead to complete system compromise, data theft, installation of backdoors, and lateral movement within the network. The use of \u003ccode\u003esvchost.exe\u003c/code\u003e as a host for malicious DLLs makes detection more difficult, allowing attackers to operate undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unsigned DLLs loaded by \u003ccode\u003esvchost.exe\u003c/code\u003e, focusing on the specified file paths and code signature status.\u003c/li\u003e\n\u003cli\u003eExamine \u003ccode\u003edll.Ext.relative_file_creation_time\u003c/code\u003e to identify DLLs created shortly before being loaded to catch newly created malicious files.\u003c/li\u003e\n\u003cli\u003eReview and validate the legitimacy of all DLLs loaded by \u003ccode\u003esvchost.exe\u003c/code\u003e, focusing on those located in unusual paths.\u003c/li\u003e\n\u003cli\u003eUpdate endpoint detection and response (EDR) systems to specifically monitor for the loading of unsigned DLLs by system processes like \u003ccode\u003esvchost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eContinuously update the exclusion list of known good DLL hashes to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:30:00Z","date_published":"2024-01-09T18:30:00Z","id":"/briefs/2024-01-unsigned-dll-svchost/","summary":"Adversaries may load unsigned DLLs into svchost.exe to establish persistence or escalate privileges, leveraging a shared Windows service to execute malicious code with elevated permissions.","title":"Unsigned DLL Loaded by Svchost for Persistence and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-unsigned-dll-svchost/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","dll-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","McAfee","SecMaker AB","HID Global","Apple","Citrix Systems","Dell","Hewlett-Packard Company","Symantec Corporation","National Instruments Corporation","DigitalPersona","Novell","Gemalto","EasyAntiCheat Oy","Entrust Datacard Corporation","AuriStor","LogMeIn","VMware","Nubeva Technologies Ltd","Micro Focus","Yubico AB","Secure Endpoints","Sophos","Morphisec Information Security","Entrust","F5 Networks","Bit4id","Thales DIS CPL USA","Micro Focus International plc","HYPR Corp","Intel","PGP Corporation","Parallels International GmbH","FrontRange Solutions Deutschland GmbH","SecureLink","Tidexa OU","Amazon Web Services","SentryBay Limited","Audinate Pty Ltd","CyberArk Software","NVIDIA","Trend Micro","Fortinet","Carbon Black"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component that manages security policies and user authentication. Attackers often target LSASS to dump credentials, using techniques like injecting malicious DLLs. This detection focuses on identifying instances where LSASS loads a DLL that is either unsigned or not signed by a trusted vendor. The rule excludes known legitimate signatures and file hashes to reduce false positives. This activity is a strong indicator of credential access attempts, potentially leading to further compromise of the system and network. The signatures identified in the rule contain well-known software vendors like Microsoft, McAfee and Citrix.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain sufficient access to interact with the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL onto the system, often disguised as a legitimate file.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious DLL into the LSASS process using techniques like Reflective DLL Injection.\u003c/li\u003e\n\u003cli\u003eLSASS loads the injected DLL, granting the attacker access to sensitive credentials stored in memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL dumps credentials, such as plaintext passwords or NTLM hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to credential compromise, allowing attackers to move laterally within the network, access sensitive data, and potentially achieve complete domain dominance. This can result in data breaches, financial losses, and reputational damage. The impact depends on the level of access associated with the compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eLSASS Loading Untrusted DLL\u003c/code\u003e Sigma rule to your SIEM to detect suspicious DLLs loaded by LSASS.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and review the loaded DLL\u0026rsquo;s code signature and hash.\u003c/li\u003e\n\u003cli\u003eBlock the identified SHA256 hashes listed in the IOC table to prevent the execution of known malicious DLLs.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict which DLLs can be loaded into LSASS.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and image load logging to provide the necessary data for detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-lsass-suspicious-dll/","summary":"Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.","title":"LSASS Loading Suspicious DLL","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-suspicious-dll/"}],"language":"en","title":"CraftedSignal Threat Feed — Dll-Injection","version":"https://jsonfeed.org/version/1.1"}