Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. (Citation: Microsoft Dynamic-Link Library Redirection) (Citation: Microsoft Manifests) (Citation: FireEye DLL Search Order Hijacking)
If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CA-8 | Penetration Testing | Protects | T1574.001 | DLL Search Order Hijacking | |
CM-2 | Baseline Configuration | Protects | T1574.001 | DLL Search Order Hijacking | |
CM-6 | Configuration Settings | Protects | T1574.001 | DLL Search Order Hijacking | |
CM-7 | Least Functionality | Protects | T1574.001 | DLL Search Order Hijacking | |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1574.001 | DLL Search Order Hijacking | |
SI-10 | Information Input Validation | Protects | T1574.001 | DLL Search Order Hijacking | |
SI-3 | Malicious Code Protection | Protects | T1574.001 | DLL Search Order Hijacking | |
SI-4 | System Monitoring | Protects | T1574.001 | DLL Search Order Hijacking | |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1574.001 | DLL Search Order Hijacking | |
azure_sentinel | Azure Sentinel | technique_scores | T1574.001 | DLL Search Order Hijacking |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.
References
|
azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1574.001 | DLL Search Order Hijacking |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|