Dark Mode
Capec-641 Detail
DLL Side-Loading
Detailed Software Likelihood: Low Typical Severity: High
Parents: 159
Threats: T79 T287 T337 T391 T406
An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-641 | capec | https://capec.mitre.org/data/definitions/641.html | |
| CWE-706 | cwe | http://cwe.mitre.org/data/definitions/706.html | |
| T1574.002 | ATTACK | https://attack.mitre.org/wiki/Technique/T1574/002 | Hijack Execution Flow:DLL Side-Loading |
| REF-501 | reference_from_CAPEC | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf | Stewart A., DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry, FireEye |
Not present
- The target must fail to verify the integrity of the DLL before using them.
Not present
| High |
|---|
| Trick the operating system in loading a malicious DLL instead of a legitimate DLL. |
| Integrity |
|---|
| Execute Unauthorized Commands |
| Bypass Protection Mechanism |
Not present