Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0577: Analytic 0577

DLL hijacking behaviors including unexpected DLL loads from non-standard directories, replacement of DLLs, phantom DLL insertion, redirection file creation, and substitution of legitimate DLLs. Defender correlates file system modifications, registry changes, and module load telemetry to detect abnormal DLL behavior in trusted processes.

EnterpriseAN0577AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because DLL hijacking can turn otherwise trusted Windows processes into execution paths for unauthorized code. For leaders, the practical issue is not just malware detection; it is whether the organization can prove it monitors changes to DLL locations, load behavior, and related registry or file-system activity well enough to catch abnormal behavior before it affects business operations or incident scope.

Executive priority

Prioritize this as a Windows endpoint detection and response-readiness question: do SOC and IR teams have the telemetry needed to explain which trusted process loaded which DLL, from where, and after what file or registry change? This supports incident decision-making, audit evidence for endpoint monitoring, and control prioritization around application integrity, privileged change, and managed detection coverage.

Technical view

AN0577 is a Windows-focused detection analytic for DLL hijacking behaviors. The supplied ATT&CK description highlights unexpected DLL loads from non-standard directories, DLL replacement, phantom DLL insertion, redirection file creation, and substitution of legitimate DLLs. Defenders should validate correlation across file system modifications, registry changes, and module load telemetry, especially where trusted processes load modules from unusual or user-writable paths. No ATT&CK tactic or relationship context was supplied, so local mapping to techniques, applications, and business-critical hosts is required.

Likely telemetry

  • Windows module or image-load telemetry showing process, DLL path, signature, hash, and parent process context
  • File system events for DLL creation, replacement, rename, deletion, or modification
  • Registry change telemetry associated with DLL search, redirection, or application configuration behavior
  • Process execution telemetry for trusted processes that subsequently load unexpected modules
  • File integrity or endpoint sensor data covering application directories and user-writable locations

Detection direction

  • Validate that module-load telemetry is actually collected on Windows endpoints; many environments collect process starts but not detailed DLL loads.
  • Tune for trusted or high-value processes loading DLLs from non-standard, temporary, user-profile, network, or otherwise unusual directories.
  • Correlate DLL load events with recent file system changes and registry modifications rather than alerting on single events only.
  • Account for false positives from software updates, plugins, development tools, and legitimate application extension mechanisms.
  • Prioritize coverage on servers, privileged workstations, and systems hosting business-critical applications where trusted-process abuse would complicate containment.

Mitigation priorities

  • Establish and monitor approved application and DLL locations for critical Windows software.
  • Limit write access to application directories and other locations that influence DLL loading behavior.
  • Use change control and file integrity monitoring for sensitive application paths where DLL substitution would be material.
  • Ensure endpoint controls and SOC procedures can investigate module loads, file changes, and registry changes together.
  • Review incident response playbooks so analysts can quickly determine whether a DLL load is expected, recently introduced, or tied to unauthorized change.
Analyst notes and limits

The object is a detection analytic, not a full ATT&CK technique entry. The strongest defensive value is validating telemetry completeness and correlation logic around Windows DLL load behavior in trusted processes. Relationship context was not supplied, so this take does not infer specific tactics, procedures, threat groups, or campaigns.

Official detection text was not provided, tactics were not specified, and no relationships were supplied. Coverage, severity, and prioritization must be confirmed against the local Windows estate, endpoint sensor capabilities, application inventory, and approved software behavior.

Official MITRE ATT&CK definition

Analytic 0577

DLL hijacking behaviors including unexpected DLL loads from non-standard directories, replacement of DLLs, phantom DLL insertion, redirection file creation, and substitution of legitimate DLLs. Defender correlates file system modifications, registry changes, and module load telemetry to detect abnormal DLL behavior in trusted processes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
aec46f168de382c2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle aec46f168de3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0577
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use