Shared Modules T1129

Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API).

Events covered

5 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 11 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (19 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
ImageLoaded6ends_with 2, starts_with 2, contains 1, ne 1, wildcard 1*.dll, .node, .vscode\extensions\ms-toolsai.jupyter-, ?:\users\*\appdata\local\temp\wps\inetcache\*, \\*
process_name4eq 4cmd.exe, excel.exe, msaccess.exe, powerpnt.exe, powershell.exe
EventID3eq 37, 4104
TargetFilename3ends_with 1, eq 1, wildcard 1*\\windowspowershell\\modules\\*.dll, .xll, ?:\users\*\appdata\local\temp\wps\inetcache\*, \\*, \device\mup\**
Image2ends_with 1, wildcard 1\code.exe, c:\program files (x86)\webhelpdesk\*\java*.exe, c:\program files\webhelpdesk\*\java*.exe
Signed2eq 1, ne 1false, true
event.category2eq 2library, process
event.type2eq 2start
process.args2wildcard 2, contains 1, eq 1.+\.(wll|xll|ppa|ppam|xla|xlam|vsto), /RunHandlerComServer, /UpdateDeploymentProvider, ?:\ProgramData\*, ?:\Users\*\AppData\Roaming\*
EventType1starts_with 1Image loaded
OriginalFileName1eq 1wuauclt.exe
ParentImage1wildcard 1c:\program files (x86)\webhelpdesk\*\java*.exe, c:\program files\webhelpdesk\*\java*.exe
ScriptBlockText1contains 1$_val=' + $_expression, $lastword, function write-members
SignatureStatus1eq 1Unavailable
dll.code_signature.exists1eq 1false

Top indicator values (71 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
7
239
EventIDeq
4104
1268
event.categoryeq
library
27
event.categoryeq
process
211
event.typeeq
start
2241
EventTypestarts_with
Image loaded
16
Imageends_with
\code.exe
14
Imagewildcard
c:\program files (x86)\webhelpdesk\*\java*.exe
1
Imagewildcard
c:\program files\webhelpdesk\*\java*.exe
1
ImageLoadedcontains
.vscode\extensions\ms-toolsai.jupyter-
1
ImageLoadedends_with
.node
1
ImageLoadedends_with
\appdata\local\temp\received_dll.dll
1
ImageLoadedends_with
\electron.napi.node
1
ImageLoadedends_with
\katz_ontop.dll
1
ImageLoadedends_with
\node.napi.glibc.node
1
ImageLoadedne
*.dll
1
ImageLoadedstarts_with
\\\\
12
ImageLoadedstarts_with
\device\mup\
1
ImageLoadedwildcard
?:\users\*\appdata\local\temp\wps\inetcache\*
1
ImageLoadedwildcard
\\*
1
ImageLoadedwildcard
\device\mup\**
1
OriginalFileNameeq
wuauclt.exe
13
ParentImagewildcard
c:\program files (x86)\webhelpdesk\*\java*.exe
1
ParentImagewildcard
c:\program files\webhelpdesk\*\java*.exe
1
ScriptBlockTextcontains
$_val=' + $_expression
1
ScriptBlockTextcontains
$lastword
1
ScriptBlockTextcontains
function write-members
1
SignatureStatuseq
Unavailable
1
Signedeq
false
19
Signedne
true
1

Exclusions (18 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Imageends_with
\code.exe
1
ImageLoadedcontains
.vscode\extensions\ms-toolsai.jupyter-
1
ImageLoadedends_with
\electron.napi.node
1
ImageLoadedends_with
\node.napi.glibc.node
1
ParentImagewildcard
?:\program files\common files\microsoft shared\vsto\*\vstoinstaller.exe
1
ParentImagewildcard
?:\program files\logioptionsplus\plugininstallerutility*.exe
1
ParentImagewildcard
?:\program files\logitech\logioptions\plugininstallerutility*.exe
1
ParentImagewildcard
?:\program files\logitech\logioptions\plugininstallerutility.exe
1
ParentImagewildcard
?:\programdata\logishrd\logioptions\plugins\vsto\*\vstoinstaller.exe
1
ParentImagewildcard
?:\programdata\logishrd\logioptionsplus\plugins\vsto\*\vstoinstaller.exe
1
TargetFilenamein
*:\\program files\\microsoft office\\*
1
TargetFilenamein
*\\appdata\\roaming\\microsoft\\addins\\*
1
parent_process_nameeq
rundll32.exe
1
process.argsends_with
.vsto
1
process.argseq
/Uninstall
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 2 rules

Elastic 4 rules

Splunk 5 rules