T1574.002: DLL Side-Loading
| View on MITRE ATT&CK | T1574.002 |
|---|---|
| Tactic(s) | Privilege Escalation, Persistence, Defense Evasion |
| Associated CAPEC Patterns | DLL Side-Loading (CAPEC-641) |
Data from MITRE ATT&CK®:
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Earth Preta Campaign Uses DOPLUGS to Target Asia
This blog post by researchers from Trend Micro describes the use of a customized PlugX backdoor which they name DOPLUGS. The DOPLUGS malware uses ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
APT41 Has Arisen From the DUST
This report from Mandiant outlines APT41 activity observed since 2023 including successful compromises of logistic, media, technology and ...
Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear
This blog post from researchers at Trend Micro discusses the cyberespionage group Earth Hundun and its malware, Waterbear and Deuterbear, which ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
This report by TrendMicro's Zero Day Initiative describes a campaign associated with the DarkGate ransomware. According to the post, DarkGate ...
Evasive Panda leverages Monlam Festival to target Tibetans
This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Application Developer Guidance
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.Update Software
Perform regular software updates to mitigate exploitation risk.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.How to detect this technique
MITRE ATT&CK Data Components
Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Potential Rcdll.DLL Sideloading
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
DLL Sideloading by VMware Xfer Utility
Potential Azure Browser SSO Abuse
DHCP Server Loaded the CallOut DLL
Potential 7za.DLL Sideloading
Potential System DLL Sideloading From Non System Locations
Potential DLL Sideloading Via comctl32.dll
Aruba Network Service Potential DLL Sideloading
Potential Wazuh Security Platform DLL Sideloading
Fax Service DLL Search Order Hijack
Potential CCleanerReactivator.DLL Sideloading
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
Potential DLL Sideloading Of DBGHELP.DLL
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
DNS Server Error Failed Loading the ServerLevelPluginDLL
Unsigned Module Loaded by ClickOnce Application
Suspicious Unsigned Thor Scanner Execution
Potential Waveedit.DLL Sideloading
Potential Mpclient.DLL Sideloading
Third Party Software DLL Sideloading
UAC Bypass With Fake DLL
Potential DLL Sideloading Via DeviceEnroller.EXE
Potential Antivirus Software DLL Sideloading
Xwizard DLL Sideloading
Tasks Folder Evasion
Potential Goopdate.DLL Sideloading
Potential Vivaldi_elf.DLL Sideloading
Potential SolidPDFCreator.DLL Sideloading
New DNS ServerLevelPluginDll Installed
Potential EACore.DLL Sideloading
Unsigned Mfdetours.DLL Sideloading
Potential Chrome Frame Helper DLL Sideloading
Creation Of Non-Existent System DLL
Potential Mfdetours.DLL Sideloading
VMMap Unsigned Dbghelp.DLL Potential Sideloading
Potential RjvPlatform.DLL Sideloading From Non-Default Location
Suspicious GUP Usage
Potential RjvPlatform.DLL Sideloading From Default Location
Renamed Vmnat.exe Execution
Potential Mpclient.DLL Sideloading Via Defender Binaries
Potential DLL Sideloading Via VMware Xfer
DLL Search Order Hijackig Via Additional Space in Path
Potential ShellDispatch.DLL Sideloading
Potential WWlib.DLL Sideloading
DLL Sideloading Of ShellChromeAPI.DLL
Microsoft Office DLL Sideload
Potential Iviewers.DLL Sideloading
VMMap Signed Dbghelp.DLL Potential Sideloading
Potential AVKkid.DLL Sideloading
DHCP Callout DLL Installation
Unsigned Binary Loaded From Suspicious Location
Potential DLL Sideloading Via ClassicExplorer32.dll
Potential SmadHook.DLL Sideloading
Potential appverifUI.DLL Sideloading
DHCP Server Error Failed Loading the CallOut DLL
VMGuestLib DLL Sideload
Potential CCleanerDU.DLL Sideloading
Microsoft Defender Blocked from Loading Unsigned DLL
Malicious DLL File Dropped in the Teams or OneDrive Folder
Potential Libvlc.DLL Sideloading
Potential Edputil.DLL Sideloading
Potential RoboForm.DLL Sideloading
Potential DLL Sideloading Via JsSchHlp
Potential DLL Sideloading Of DBGCORE.DLL
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.