Skip to content

T1574.001 DLL Search Order Hijacking

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. 12 Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, 3 by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.4 Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. 5

Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.678

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

Item Value
ID T1574.001
Sub-techniques T1574.001, T1574.002, T1574.004, T1574.005, T1574.006, T1574.007, T1574.008, T1574.009, T1574.010, T1574.011, T1574.012, T1574.013
Tactics TA0003, TA0004, TA0005
Platforms Windows
Version 1.1
Created 13 March 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
G0096 APT41 APT41 has used search order hijacking to execute malicious payloads, such as Winnti RAT.37
G0143 Aquatic Panda Aquatic Panda has used DLL search-order hijacking to load exe, dll, and dat files into memory.39
S0373 Astaroth Astaroth can launch itself via DLL Search Order Hijacking.18
G0135 BackdoorDiplomacy BackdoorDiplomacy has executed DLL search order hijacking.36
S0415 BOOSTWRITE BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.20
S1063 Brute Ratel C4 Brute Ratel C4 has used search order hijacking to load a malicious payload DLL as a dependency to a benign application packaged in the same ISO.15
S0631 Chaes Chaes has used search order hijacking to load a malicious DLL.19
S0538 Crutch Crutch can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive.29
S0134 Downdelph Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.33
S0363 Empire Empire contains modules that can discover and exploit various DLL hijacking opportunities.14
G0120 Evilnum Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.38
S0182 FinFisher A FinFisher variant uses DLL search order hijacking.2122
S0661 FoggyWeb FoggyWeb‘s loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate version.dll during the Microsoft.IdentityServer.ServiceHost.exe execution process.28
S0009 Hikit Hikit has used DLL Search Order Hijacking to load oci.dll as a persistence mechanism.17
S0070 HTTPBrowser HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.27
S0260 InvisiMole InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.24
S0530 Melcoz Melcoz can use DLL hijacking to bypass security controls.18
G0045 menuPass menuPass has used DLL search order hijacking.35
S0280 MirageFox MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary.23
S0013 PlugX PlugX has the ability to use DLL search order hijacking for installation on targeted systems.32
S0194 PowerSploit PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.1213
S0113 Prikormka Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.26
S0458 Ramsay Ramsay can hijack outdated Windows application dependencies with malicious versions of its own DLL payload.25
S0153 RedLeaves RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.30
G0048 RTM RTM has used search order hijacking to force TeamViewer to load a malicious DLL.41
G0027 Threat Group-3390 Threat Group-3390 has performed DLL search order hijacking to execute their payload.40
G0131 Tonto Team Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.34
S0612 WastedLocker WastedLocker has performed DLL hijacking before execution.16
S0109 WEBC2 Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\WINDOWS\ntshrui.dll).31
G0107 Whitefly Whitefly has used search order hijacking to run the loader Vcrodat.42

Mitigations

ID Mitigation Description
M1047 Audit Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.9
M1038 Execution Prevention Adversaries may use new DLLs to execute this technique. Identify and block potentially malicious software executed through search order hijacking by using application control solutions capable of blocking DLLs loaded by legitimate software.
M1044 Restrict Library Loading Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.

Detection

ID Data Source Data Component
DS0022 File File Creation
DS0011 Module Module Load

References

  1. Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020. 

  2. OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016. 

  3. Harbour, N. (2011, June 3). What the fxsst?. Retrieved November 17, 2020. 

  4. Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved March 13, 2020. 

  5. Microsoft. (n.d.). Manifests. Retrieved December 5, 2014. 

  6. PowerSploit. (n.d.). Retrieved December 4, 2014. 

  7. Gerend, J. et al.. (2017, October 16). sxstrace. Retrieved April 26, 2021. 

  8. Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014. 

  9. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  10. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  11. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  12. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  13. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  14. Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016. 

  15. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  16. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  17. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. 

  18. FinFisher. (n.d.). Retrieved December 20, 2017. 

  19. Kaspersky Lab’s Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018. 

  20. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018. 

  21. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  22. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. 

  23. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  24. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016. 

  25. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  26. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  27. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  28. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  29. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  30. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. 

  31. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021. 

  32. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. 

  33. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  34. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  35. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  36. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. 

  37. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. 

  38. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020. 

  39. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.