Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1574.002 | DLL Side-Loading |
Comments
This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.002 | DLL Side-Loading |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1574.002 | DLL Side-Loading |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, applying patches that fix DLL side-loading vulnerabilities mitigates the execution of malicious payloads by side-loading DLLs.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SA-10 | Developer Configuration Management | mitigates | T1574.002 | DLL Side-Loading | |
| SA-15 | Development Process, Standards, and Tools | mitigates | T1574.002 | DLL Side-Loading | |
| SA-16 | Developer-provided Training | mitigates | T1574.002 | DLL Side-Loading | |
| SA-17 | Developer Security and Privacy Architecture and Design | mitigates | T1574.002 | DLL Side-Loading | |
| SA-03 | System Development Life Cycle | mitigates | T1574.002 | DLL Side-Loading | |
| SA-04 | Acquisition Process | mitigates | T1574.002 | DLL Side-Loading | |
| SI-02 | Flaw Remediation | mitigates | T1574.002 | DLL Side-Loading | |
| SA-11 | Developer Testing and Evaluation | mitigates | T1574.002 | DLL Side-Loading | |
| SA-08 | Security and Privacy Engineering Principles | mitigates | T1574.002 | DLL Side-Loading |