INJ-MODULE-STOMPDefense Evasion

Module Stomping

Load a benign signed DLL into the target, then overwrite its .text in memory with attacker code — call stack still references the signed module.

§ Where this technique fits

INJ-MODULE-STOMP is catalogued under the Defense Evasion tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

AMSI patch → in-memory .NET / PowerShell stager
Patch AmsiScanBuffer in amsi.dll → return clean for any content. Subsequent PowerShell / Office VBA / .NET runtime calls emit attacker code without scanning.
step 4 / 6

§ What commonly comes next

01
Application Layer Protocol
T1071 · Command and Control
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

AMSI patch → in-memory .NET / PowerShell stager

§ What commonly comes next