|T1574.001||DLL Search Order Hijacking|
|T1574.005||Executable Installer File Permissions Weakness|
|T1574.006||Dynamic Linker Hijacking|
|T1574.007||Path Interception by PATH Environment Variable|
|T1574.008||Path Interception by Search Order Hijacking|
|T1574.009||Path Interception by Unquoted Path|
|T1574.010||Services File Permissions Weakness|
|T1574.011||Services Registry Permissions Weakness|
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.
APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).
During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.
|M1013||Application Developer Guidance||
When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.
Update software regularly to include patches that fix DLL side-loading vulnerabilities.
|ID||Data Source||Data Component|
Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs. Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.