Esc
DLL Search Order Hijacking - T1574.001
(ATT&CK® Technique)
Definition
Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1574001["DLL Search Order Hijacking"] --> |may-create| SharedLibraryFile["Shared Library File"]; class T1574001 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1574001 href "/offensive-technique/attack/T1574.001/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; FileEncryption["File Encryption"] -->
| encrypts | SharedLibraryFile["Shared Library File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1574001["DLL Search Order Hijacking"] ;
class FileEncryption DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; DecoyFile["Decoy File"] -->
| spoofs | SharedLibraryFile["Shared Library File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1574001["DLL Search Order Hijacking"] ;
class DecoyFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileEviction["File Eviction"] -->
| deletes | SharedLibraryFile["Shared Library File"];
FileEviction["File Eviction"] -.->
| may-evict | T1574001["DLL Search Order Hijacking"] ;
class FileEviction DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SharedLibraryFile["Shared Library File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1574001["DLL Search Order Hijacking"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1574001["DLL Search Order Hijacking"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; RestoreFile["Restore File"] -->
| restores | SharedLibraryFile["Shared Library File"];
RestoreFile["Restore File"] -.->
| may-restore | T1574001["DLL Search Order Hijacking"] ;
class RestoreFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1574001["DLL Search Order Hijacking"] ;
class FileAnalysis DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | SharedLibraryFile["Shared Library File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1574001["DLL Search Order Hijacking"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";