AN1465: Analytic 1465
Unusual or suspicious processes loading critical native API DLLs (e.g., ntdll.dll, kernel32.dll) followed by direct syscall behavior, memory manipulation, or hollowing.
Analyst context for executives and security teams
This analytic matters because it focuses on Windows process behavior commonly associated with attempts to bypass normal user-mode monitoring: suspicious processes loading critical native API DLLs such as ntdll.dll or kernel32.dll, followed by direct syscall behavior, memory manipulation, or process hollowing. For leaders, the value is not the DLL load alone, which is common, but whether the organization can see and investigate the sequence of events that may indicate stealthy execution or evasion.
Executive priority
Prioritize this as a visibility and response-readiness question for Windows environments: can the SOC prove it collects enough process, module-load, and memory/process-manipulation evidence to distinguish normal application behavior from suspicious execution chains? This supports incident triage, control validation, and audit evidence for endpoint monitoring maturity. Because no ATT&CK tactic, relationship, or official detection logic is supplied, treat this as a coverage validation item rather than a standalone risk assertion.
Technical view
For SOC, detection engineering, and IR teams, validate whether Windows telemetry can correlate suspicious process lineage with loading of native API DLLs such as ntdll.dll and kernel32.dll, then identify follow-on indicators of direct syscall behavior, memory manipulation, or process hollowing. DLL loads by themselves are high-volume and often benign, so the useful detection value is in sequencing, process context, rarity, parent-child relationships, and corroborating memory or hollowing evidence. No official detection logic is provided, so local baselining and false-positive tuning are required.
Likely telemetry
- Windows process creation and parent-child process lineage
- Module or image-load telemetry for native API DLLs such as ntdll.dll and kernel32.dll
- Endpoint telemetry indicating memory manipulation
- Endpoint telemetry indicating process hollowing behavior
- Process command-line, executable path, signer, hash, and user context where available
Detection direction
- Do not alert on ntdll.dll or kernel32.dll loading alone; validate suspicious process context and follow-on behavior.
- Correlate native API DLL loads with direct syscall indicators, memory manipulation, or hollowing signals when telemetry supports it.
- Baseline common enterprise software that legitimately loads these DLLs to reduce noise.
- Review detections for blind spots where endpoint tooling records process creation but not module loads or memory behavior.
- Use process lineage, executable reputation, path, signer, and user context to prioritize investigation.
Mitigation priorities
- Confirm Windows endpoint visibility first: process creation, module-load, and memory/process-manipulation telemetry are the control foundation for this analytic.
- Tune endpoint detection and response content to emphasize suspicious sequences rather than common DLL-load events.
- Establish investigation playbooks for suspected process hollowing or memory manipulation, including evidence preservation and process lineage review.
- Use application control, least privilege, and endpoint hardening where appropriate to reduce opportunities for suspicious process execution, while recognizing this object does not provide specific mitigation guidance.
- Maintain compliance evidence showing which Windows telemetry sources are collected, retained, and reviewed for this class of behavior.
Analyst notes and limits
This is a detection analytic object for Windows in the enterprise ATT&CK domain. The supplied description is behavior-focused, but tactics, official detection logic, and relationship context are not provided. Glexia assessment should therefore emphasize validation of telemetry coverage, correlation quality, and investigation readiness rather than asserting a specific adversary objective or guaranteed detection outcome.
The source object is sparse: no official detection, no tactics, no relationships, no aliases, and no mitigation text were supplied. Conclusions are limited to the official description, platform, external reference, and object metadata. Local environment baselines and endpoint sensor capabilities are required to determine practical coverage and alert quality.
Analytic 1465
Unusual or suspicious processes loading critical native API DLLs (e.g., ntdll.dll, kernel32.dll) followed by direct syscall behavior, memory manipulation, or hollowing.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f6e13e72d022… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1465Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.