title: Dynamic-link Library Injection (T1055.001)
id: df00tech-t1055-001
status: experimental
description: "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). Variations include reflective DLL injection (self-mapping DLL), memory module loading, and Module Stomping/DLL Hollowing where a legitimate DLL is loaded then its AddressOfEntryPoint is overwritten before execution."
references:
  - https://attack.mitre.org/techniques/T1055/001/
  - https://df00tech.com/detections/T1055.001
author: df00tech
date: 2026/04/16
tags:
  - attack.t1055.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "EDR and antivirus products injecting monitoring DLLs (e.g., CrowdStrike csagent.dll, SentinelOne hooks)"
  - Application compatibility framework (apphelp.dll) loading shim DLLs into processes
  - "Software instrumentation tools (AppDynamics, Dynatrace) injecting agent DLLs for APM monitoring"
  - Browser extensions and plugins loading DLLs into browser processes
level: high