T1574.002: DLL Side-Loading
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_command_and_control: PT-CR-611: Suspicious_Connection_after_Imageload: A process opened a network connection after loading a library
mitre_attck_defense_evasion: PT-CR-1941: DLL_Side_Loading: Attackers can run malicious code by placing their library next to a legitimate application that will load it at startup
mitre_attck_defense_evasion: PT-CR-1942: Subrule_DLL_Side_Loading: Attackers can run malicious code by placing their library next to a legitimate application that will load it at startup
mitre_attck_privilege_escalation: PT-CR-460: DLL_Hijacking: An attempt to elevate account privileges by loading a malicious library is detected
Detection
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files for unexpected modifications to access permissions and attributes |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files in common folders on the computer system. |
---|
Mitigation
ID | M1051 | Name | Update Software | Description | Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
---|
ID | M1013 | Name | Application Developer Guidance | Description | When possible, include hash values in manifest files to help prevent side-loading of malicious libraries. |
---|