Esc
DLL Side-Loading - T1574.002
(ATT&CK® Technique)
Definition
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1574002["DLL Side-Loading"] --> |may-create| SharedLibraryFile["Shared Library File"]; class T1574002 OffensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; click T1574002 href "/offensive-technique/attack/T1574.002/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1574002["DLL Side-Loading"] --> |may-modify| SharedLibraryFile["Shared Library File"]; class T1574002 OffensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; click T1574002 href "/offensive-technique/attack/T1574.002/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; RestoreFile["Restore File"] --> | restores | SharedLibraryFile["Shared Library File"]; RestoreFile["Restore File"] -.-> | may-restore | T1574002["DLL Side-Loading"] ; class RestoreFile DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; LocalFilePermissions["Local File Permissions"] --> | restricts | SharedLibraryFile["Shared Library File"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1574002["DLL Side-Loading"] ; class LocalFilePermissions DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; DecoyFile["Decoy File"] --> | spoofs | SharedLibraryFile["Shared Library File"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1574002["DLL Side-Loading"] ; class DecoyFile DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | SharedLibraryFile["Shared Library File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1574002["DLL Side-Loading"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] --> | deletes | SharedLibraryFile["Shared Library File"]; FileEviction["File Eviction"] -.-> | may-evict | T1574002["DLL Side-Loading"] ; class FileEviction DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] --> | encrypts | SharedLibraryFile["Shared Library File"]; FileEncryption["File Encryption"] -.-> | may-harden | T1574002["DLL Side-Loading"] ; class FileEncryption DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileAnalysis["File Analysis"] --> | analyzes | SharedLibraryFile["Shared Library File"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1574002["DLL Side-Loading"] ; class FileAnalysis DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | SharedLibraryFile["Shared Library File"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1574002["DLL Side-Loading"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";