T1574.001: DLL Search Order Hijacking
| View on MITRE ATT&CK | T1574.001 |
|---|---|
| Tactic(s) | Defense Evasion, Privilege Escalation, Persistence |
| Associated CAPEC Patterns | Search Order Hijacking (CAPEC-471) |
Data from MITRE ATT&CK®:
Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
APT41 Has Arisen From the DUST
This report from Mandiant outlines APT41 activity observed since 2023 including successful compromises of logistic, media, technology and ...
FamousSparrow: A suspicious hotel guest
This blog post by researchers from ESET describes the FamousSparrow APT group and associated custom backdoor 'SparrowDoor'. According to the post, ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
Blog post from researchers at Trend Micro discussing Earth Lusca and potential links to Chinese contractor I-Soon. Earth Lusca is a China-linked ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Restrict Library Loading
Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.How to detect this technique
MITRE ATT&CK Data Components
Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Potential RjvPlatform.DLL Sideloading From Default Location
Potential Rcdll.DLL Sideloading
Potential SmadHook.DLL Sideloading
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
Powerup Write Hijack DLL
Potential Vivaldi_elf.DLL Sideloading
Creation Of Non-Existent System DLL
Potential Wazuh Security Platform DLL Sideloading
Potential EACore.DLL Sideloading
Potential RjvPlatform.DLL Sideloading From Non-Default Location
Microsoft Office DLL Sideload
Potential Libvlc.DLL Sideloading
Unsigned Mfdetours.DLL Sideloading
Fax Service DLL Search Order Hijack
Potential Mfdetours.DLL Sideloading
DLL Sideloading Of ShellChromeAPI.DLL
Potential Goopdate.DLL Sideloading
Potential Iviewers.DLL Sideloading
Potential 7za.DLL Sideloading
Potential CCleanerReactivator.DLL Sideloading
Potential DLL Sideloading Of DBGCORE.DLL
Potential SolidPDFCreator.DLL Sideloading
VMGuestLib DLL Sideload
Creation of an WerFault.exe in Unusual Folder
Use Of Hidden Paths Or Files
Potential CCleanerDU.DLL Sideloading
Potential DLL Sideloading Via comctl32.dll
Third Party Software DLL Sideloading
Potential System DLL Sideloading From Non System Locations
Potential Waveedit.DLL Sideloading
Potential WWlib.DLL Sideloading
Potential DLL Sideloading Via ClassicExplorer32.dll
Potential DLL Sideloading Via JsSchHlp
Potential Initial Access via DLL Search Order Hijacking
Aruba Network Service Potential DLL Sideloading
Potential DLL Sideloading Of DBGHELP.DLL
VMMap Unsigned Dbghelp.DLL Potential Sideloading
Potential AVKkid.DLL Sideloading
Potential appverifUI.DLL Sideloading
Potential Chrome Frame Helper DLL Sideloading
Potential RoboForm.DLL Sideloading
Potential ShellDispatch.DLL Sideloading
Potential Edputil.DLL Sideloading
Potential Antivirus Software DLL Sideloading
VMMap Signed Dbghelp.DLL Potential Sideloading
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.