T1129: Shared Modules
Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API).
Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.
The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in dlfcn.h
in functions such as dlopen
and dlsym
. Although macOS can execute .so
files, common practice uses .dylib
files.
The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll
and is part of the Windows Native API which is called from functions like LoadLibrary
at run time.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_execution: PT-CR-646: Run_Malicious_Msbuild_Project: An attempt to load a .NET assembly at the path with the microsoft.build mask is detected mitre_attck_execution: PT-CR-644: Powershell_Library_Loaded_Into_Process: A process started loading a PowerShell environment to its address space mitre_attck_execution: PT-CR-1751: Image_Loaded_From_External_Location: A process downloaded an image of an executable file from a remote host mitre_attck_execution: PT-CR-642: DLL_Load_From_NET_Assembly: A process used a DLL from C:\windows\assembly mitre_attck_defense_evasion: PT-CR-1207: DirtyVanity_Process_Injection: An attempt to bypass EDR using the Dirty Vanity utility is detected mitre_attck_defense_evasion: PT-CR-933: Malicious_Activity_From_Office_Documents: The following suspicious activity of office programs is detected: creating executables, changing registry keys, loading the DLL of an Internet Explorer COM object, creating threads in other processes' address space mitre_attck_cred_access: PT-CR-303: Comsvcs_Minidump_Usage: A user dumped the lsass process with comsvcs.dll mitre_attck_cred_access: PT-CR-299: LAPS_Enumeration: Search for users, groups, and computers with access to Microsoft LAPS (Local Administrator Password Solution). LAPS automatically manages the local administrator account password and backs up this password on devices connected to Active Directory services. hacking_tools: PT-CR-1726: Havoc_Powerpick: A suspicious process infiltrated process werfault.exe, which may indicate the use of the Havoc software that allows to covertly execute PowerShell commands hacking_tools: PT-CR-755: Cobalt_Strike_Stager: Possible startup of a Cobalt Strike stager hacking_tools: PT-CR-756: DSInternals_Usage: Execution of a potentially malicious PowerShell cmdlet from the DSInternals module is detected
Detection
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may execute malicious payloads via loading shared modules. |
---|
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitoring module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of shared modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled, or system modules such that deviation from known module loads may be suspicious Limiting module loads to trusted directories, such as |
---|
Mitigation
ID | M1038 | Name | Execution Prevention | Description | Identify and block potentially malicious software executed through this technique by using application control tools capable of preventing unknown modules from being loaded. |
---|