title: DLL (T1574.001)
id: df00tech-t1574-001
status: experimental
description: "Adversaries may abuse dynamic-link library (DLL) mechanisms to achieve persistence, privilege escalation, and defense evasion. Techniques include DLL search order hijacking (planting a malicious DLL earlier in the search path), DLL side-loading (placing a malicious DLL alongside a legitimate signed executable), phantom DLL hijacking (targeting references to non-existent DLLs), DLL substitution (replacing a valid DLL), and DLL redirection (using .manifest or .local files). Groups including Chimera, TONESHELL/Mustang Panda, Velvet Ant, APT41, and Aquatic Panda have extensively used these techniques to load malicious payloads under trusted process contexts."
references:
  - https://attack.mitre.org/techniques/T1574/001/
  - https://df00tech.com/detections/T1574.001
author: df00tech
date: 2026/04/21
tags:
  - attack.t1574.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate portable applications that bundle their own DLLs in AppData (e.g., some update mechanisms for Slack, Teams, or Electron apps)"
  - Developer workstations where build artifacts and test DLLs are loaded from non-standard paths
  - Software installers that extract DLLs to TEMP directories during installation and immediately load them
  - Security or monitoring tools that load plugins from user-writable configuration directories
level: high