T1574.002 DLL Side-Loading Mappings

Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
SA-10 Developer Configuration Management Protects T1574.002 DLL Side-Loading
SA-11 Developer Testing and Evaluation Protects T1574.002 DLL Side-Loading
SA-15 Development Process, Standards, and Tools Protects T1574.002 DLL Side-Loading
SA-16 Developer-provided Training Protects T1574.002 DLL Side-Loading
SA-17 Developer Security and Privacy Architecture and Design Protects T1574.002 DLL Side-Loading
SA-3 System Development Life Cycle Protects T1574.002 DLL Side-Loading
SA-4 Acquisition Process Protects T1574.002 DLL Side-Loading
SA-8 Security and Privacy Engineering Principles Protects T1574.002 DLL Side-Loading
SI-2 Flaw Remediation Protects T1574.002 DLL Side-Loading
CVE-2010-1592 n/a uncategorized T1574.002 DLL Side-Loading
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.002 Hijack Execution Flow: DLL Side-Loading
action.hacking.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. related-to T1574.002 Hijack Execution Flow: DLL Side-Loading
action.hacking.variety.Unknown Unknown related-to T1574.002 Hijack Execution Flow: DLL Side-Loading