# T1574.001 DLL Search Order Hijacking

-----------------------------------------------------------------------

## Technique Description

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)

Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

## Technique Detection

Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of `.manifest` and `.local` redirection files that do not correlate with software updates are suspicious.

-----------------------------------------------------------------------

### Tactics:

  * Persistence

  * Privilege-Escalation

  * Defense-Evasion

### Platforms:

  * Windows

### Data Sources:

  * **Module:** Module Load

  * **File:** File Creation

  * **File:** File Modification

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has used DLL search-order hijacking to load `exe`, `dll`, and `dat` files into memory.(Citation: CrowdStrike AQUATIC PANDA December 2021)| 
| BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has executed DLL search order hijacking.(Citation: ESET BackdoorDiplomacy Jun 2021)| 
| Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) abuses a legitimate and signed Microsoft executable to launch a malicious DLL.(Citation: ESET Exchange Mar 2021)| 
| Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.(Citation: ESET EvilNum July 2020) | 
| Whitefly | [Whitefly](https://attack.mitre.org/groups/G0107) has used search order hijacking to run the loader Vcrodat.(Citation: Symantec Whitefly March 2019)	| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) has used search order hijacking to execute malicious payloads, such as Winnti RAT.(Citation: Crowdstrike GTR2020 Mar 2020)| 
| RTM | [RTM](https://attack.mitre.org/groups/G0048) has used search order hijacking to force TeamViewer to load a malicious DLL.(Citation: Group IB RTM August 2019)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used DLL search order hijacking.(Citation: PWC Cloud Hopper April 2017)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has performed DLL search order hijacking to execute their payload.(Citation: Nccgroup Emissary Panda May 2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1574/001)

  * [Capec](https://capec.mitre.org/data/definitions/471.html)

  * [Microsoft Dynamic Link Library Search Order](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN), Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.

  * [Fireeye Hijacking July 2010](https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html), Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020.

  * [Owasp Binary Planting](https://www.owasp.org/index.php/Binary_planting), OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016.

  * [Fireeye Fxsst June 2011](https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html), Harbour, N. (2011, June 3). What the fxsst?. Retrieved November 17, 2020.

  * [Microsoft Security Advisory 2269637](https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637), Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved March 13, 2020.

  * [Microsoft Dynamic-Link Library Redirection](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN), Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020.

  * [Microsoft Manifests](https://msdn.microsoft.com/en-US/library/aa375365), Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.

  * [Fireeye Dll Search Order Hijacking](https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html), Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------
### This technique is a duplicate.  Follow the link below to the "Primary Version".
<a href="../Persistence/T1574.001 Dll Search Order Hijacking.ipynb" target="_blank">Primary Version</a>