Skip to content

M1044 Restrict Library Loading

Restricting library loading involves implementing security controls to ensure that only trusted and verified libraries (DLLs, shared objects, etc.) are loaded into processes. Adversaries often abuse Dynamic-Link Library (DLL) Injection, DLL Search Order Hijacking, or LD_PRELOAD mechanisms to execute malicious code by forcing the operating system to load untrusted libraries. This mitigation can be implemented through the following measures:

Enforce Safe Library Loading Practices:

  • Enable SafeDLLSearchMode on Windows.
  • Restrict LD_PRELOAD and LD_LIBRARY_PATH usage on Linux systems.

Code Signing Enforcement:

  • Require digital signatures for all libraries loaded into processes.
  • Use tools like Signtool, and WDAC to enforce signed DLL execution.

Environment Hardening:

  • Secure library paths and directories to prevent adversaries from placing rogue libraries.
  • Monitor user-writable directories and system configurations for unauthorized changes.

Audit and Monitor Library Loading:

  • Enable Sysmon on Windows to monitor for suspicious library loads.
  • Use auditd on Linux to monitor shared library paths and configuration file changes.

Use Application Control Solutions:

  • Implement AppLocker, WDAC, or SELinux to allow only trusted libraries.

Tools for Implementation

Windows-Specific Tools:

  • AppLocker: Application whitelisting for DLLs.
  • Windows Defender Application Control (WDAC): Restrict unauthorized library execution.
  • Signtool: Verify and enforce code signing.
  • Sysmon: Monitor DLL load events (Event ID 7).

Linux-Specific Tools:

  • auditd: Monitor changes to library paths and critical files.
  • SELinux/AppArmor: Define policies to restrict library loading.
  • ldconfig and chattr: Secure LD configuration files and prevent unauthorized modifications.

Cross-Platform Solutions:

  • Wazuh or OSSEC: File integrity monitoring for library changes.
  • Tripwire: Detect and alert on unauthorized library modifications.
Item Value
ID M1044
Version 1.1
Created 11 June 2019
Last Modified 18 December 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.008 LSASS Driver Ensure safe DLL search mode is enabled HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode to mitigate risk that lsass.exe loads a malicious code library. 3
enterprise T1574 Hijack Execution Flow Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.
enterprise T1574.001 DLL Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.1

References

  1. Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014. 

  2. Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.