T1129 Shared Modules Mappings

Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like <code>CreateProcess</code>, <code>LoadLibrary</code>, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)

The module loader can load DLLs:

  • via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;

  • via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);

  • via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;

  • via <code>&#x3c;file name="filename.extension" loadFrom="fully-qualified or relative pathname"&#x3e;</code> in an embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.

Adversaries may use this functionality as a way to execute arbitrary code on a victim system. For example, malware may execute share modules to load additional components or features.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-2 Baseline Configuration Protects T1129 Shared Modules
CM-7 Least Functionality Protects T1129 Shared Modules
SI-10 Information Input Validation Protects T1129 Shared Modules
SI-4 System Monitoring Protects T1129 Shared Modules
SI-7 Software, Firmware, and Information Integrity Protects T1129 Shared Modules
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1129 Shared Modules