M1044 Restrict Library Loading

Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.

Item	Value
ID	M1044
Version	1.0
Created	11 June 2019
Last Modified	11 June 2019
Navigation Layer	View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain	ID	Name	Use
enterprise	T1547	Boot or Logon Autostart Execution	-
enterprise	T1547.008	LSASS Driver	Ensure safe DLL search mode is enabled `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode` to mitigate risk that lsass.exe loads a malicious code library. ³
enterprise	T1574	Hijack Execution Flow	Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.
enterprise	T1574.001	DLL Search Order Hijacking	Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.

References

Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014. ↩
Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014. ↩
Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017. ↩