Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
SA-10 | Developer Configuration Management | Protects | T1574.002 | DLL Side-Loading | |
SA-11 | Developer Testing and Evaluation | Protects | T1574.002 | DLL Side-Loading | |
SA-15 | Development Process, Standards, and Tools | Protects | T1574.002 | DLL Side-Loading | |
SA-16 | Developer-provided Training | Protects | T1574.002 | DLL Side-Loading | |
SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1574.002 | DLL Side-Loading | |
SA-3 | System Development Life Cycle | Protects | T1574.002 | DLL Side-Loading | |
SA-4 | Acquisition Process | Protects | T1574.002 | DLL Side-Loading | |
SA-8 | Security and Privacy Engineering Principles | Protects | T1574.002 | DLL Side-Loading | |
SI-2 | Flaw Remediation | Protects | T1574.002 | DLL Side-Loading |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Exploit misconfig | Exploit a misconfiguration (vs vuln or weakness) | related-to | T1574.002 | Hijack Execution Flow: DLL Side-Loading | |
action.hacking.variety.Exploit vuln | Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. | related-to | T1574.002 | Hijack Execution Flow: DLL Side-Loading | |
action.hacking.variety.Unknown | Unknown | related-to | T1574.002 | Hijack Execution Flow: DLL Side-Loading |