Home
ATT&CK Techniques
T1574.001 DLL Search Order Hijacking

T1574.001 DLL Search Order Hijacking Mappings

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)

Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-8	Penetration Testing	Protects	T1574.001	DLL Search Order Hijacking
CM-2	Baseline Configuration	Protects	T1574.001	DLL Search Order Hijacking
CM-6	Configuration Settings	Protects	T1574.001	DLL Search Order Hijacking
CM-7	Least Functionality	Protects	T1574.001	DLL Search Order Hijacking
RA-5	Vulnerability Monitoring and Scanning	Protects	T1574.001	DLL Search Order Hijacking
SI-10	Information Input Validation	Protects	T1574.001	DLL Search Order Hijacking
SI-3	Malicious Code Protection	Protects	T1574.001	DLL Search Order Hijacking
SI-4	System Monitoring	Protects	T1574.001	DLL Search Order Hijacking
SI-7	Software, Firmware, and Information Integrity	Protects	T1574.001	DLL Search Order Hijacking
action.hacking.variety.Exploit misconfig	Exploit a misconfiguration (vs vuln or weakness)	related-to	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking
action.hacking.variety.Exploit vuln	Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.	related-to	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking
action.hacking.variety.Hijack	To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)	related-to	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking
action.hacking.variety.Unknown	Unknown	related-to	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking