T1574.002 DLL Side-Loading Mappings

Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
SA-10 Developer Configuration Management Protects T1574.002 DLL Side-Loading
SA-11 Developer Testing and Evaluation Protects T1574.002 DLL Side-Loading
SA-15 Development Process, Standards, and Tools Protects T1574.002 DLL Side-Loading
SA-16 Developer-provided Training Protects T1574.002 DLL Side-Loading
SA-17 Developer Security and Privacy Architecture and Design Protects T1574.002 DLL Side-Loading
SA-03 System Development Life Cycle Protects T1574.002 DLL Side-Loading
SA-04 Acquisition Process Protects T1574.002 DLL Side-Loading
SA-08 Security and Privacy Engineering Principles Protects T1574.002 DLL Side-Loading
SI-02 Flaw Remediation Protects T1574.002 DLL Side-Loading