Home/ MITRE Matrix/ Execution/ T1129

T1129Shared Modules

T1129 — Shared Modules is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 9 detection use cases covering it and 4 threat-intel articles citing it.

Execution

View on the matrix → Filter Detection Library MITRE official spec ↗

9Use cases

4Articles

0Sub-techniques

1Tactic

Use cases covering this technique (9)

Windows Executable in Loaded Modules ESCU actions · alerting P Windows PowerShell Module File Created ESCU actions · hunting P Windows PowerShell Script TabExpansion Direct Call ESCU actions · hunting P Windows Remote Image Load ESCU actions · hunting P Windows XLL File Creation Outside of Typical Location ESCU actions · hunting P [LLM] Mini Shai-Hulud: Python subprocess spawns `_runtime/start.py` from lightning site-packages Bespoke install · alerting DSΣPDD [LLM] GlassWorm Zig dropper native node addon (win.node/mac.node) written to IDE extension bin/ folder Bespoke install · hunting DSΣPDD [LLM] Sednit known-bad SHA-1 hash match: Xagent / SlimAgent / BeardShell binaries Bespoke install · alerting DSΣPDDCS [LLM] SlimAgent / BeardShell DLL load with implant filename outside System32 Bespoke install · alerting DSΣPDDCS

Articles citing this technique (4)

high Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud art-339

high GlassWorm goes native: New Zig dropper infects every IDE on your machine art-405

crit Sednit reloaded: Back in the trenches art-477

crit Gotta fly: Lazarus targets the UAV sector art-734