Description
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)
Specific ways DLLs are abused by adversaries include:
### DLL Sideloading Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).
Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.
Adversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)
Adversaries may chain DLL sideloading multiple times to fragment functionality hindering analysis. Adversaries using multiple DLL files can split the loader functions across different DLLs, with a main DLL loading the separated export functions. (Citation: Virus Bulletin) Spreading loader functions across multiple DLLs makes analysis harder, since all files must be collected to fully understand the malware’s behavior. Another method implements a “loader-for-a-loader”, where a malicious DLL’s sole role is to load a second DLL (or a chain of DLLs) that contain the real payload. (Citation: Sophos)
### DLL Search Order Hijacking Adversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)
### DLL Redirection Adversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)
### Phantom DLL Hijacking Adversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)
### DLL Substitution Adversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)
Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.
Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)
If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.
Platforms
Mitigations (5)
Execution PreventionM1038
Identify and block potentially malicious software executed through DLL hijacking by using application control solutions capable of blocking DLLs loaded by legitimate software.(Citation: Microsoft AppLocker DLL)
Restrict Library LoadingM1044
Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.(Citation: Microsoft More information about DLL)
Enable Safe DLL Search Mode to move the user's current folder later in the search order. This is included by default in modern versions of Windows; the associated Windows Registry key is located at HKLM\SYSTE
Update SoftwareM1051
Update software regularly to include patches that fix DLL side-loading vulnerabilities.
AuditM1047
Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.(Citation: Powersploit)
Use the program sxstrace.exe that is included with Windows, along with manual inspection, to check manifest files
Application Developer GuidanceM1013
When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.
Threat Groups (35)
| ID | Group | Context |
|---|---|---|
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used side loading to place malicious DLLs in memory.(Citation: NCC Group Chimera January 2021) |
| G1021 | Cinnamon Tempest | [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) has used search order hijacking to launch [Cobalt Strike](https://attack.mitre.org/software/... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) maintains persistence on victim networks through side-loading dlls to trick legitimate programs in... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) has used malicious DLLs executed via legitimate EXE files through DLL search order hijacking to la... |
| G0048 | RTM | [RTM](https://attack.mitre.org/groups/G0048) has used search order hijacking to force TeamViewer to load a malicious DLL.(Citation: Group IB RTM Augus... |
| G0131 | Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) abuses a legitimate and signed Microsoft executable to launch a malicious DLL.(Citation: ESET Exch... |
| G0040 | Patchwork | A [Patchwork](https://attack.mitre.org/groups/G0040) .dll that contains [BADNEWS](https://attack.mitre.org/software/S0128) is loaded and executed usin... |
| G0107 | Whitefly | [Whitefly](https://attack.mitre.org/groups/G0107) has used search order hijacking to run the loader Vcrodat.(Citation: Symantec Whitefly March 2019) |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has used DLL search-order hijacking to load `exe`, `dll`, and `dat` files into memory.(Citation... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used DLL side-loading to covertly load [PoisonIvy](https://attack.mitre.org/software/S0012) into memo... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126)’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the <code>OINFO12.OCX<... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has deployed a malicious DLL (7z.DLL) that is sideloaded by a modified, legitimate installer (7zG.... |
| G0120 | Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, in... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has been known to side-load DLLs using a valid version of a Windows Address Book and Windows D... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has placed a malicious payload in `%WINDIR%\SYSTEM32\oci.dll` so it would be sideloaded by the MS... |
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has used legitimate executables such as `winword.exe` and `igfxem.exe` to side-load their malwar... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used legitimate applications to side-load malicious DLLs.(Citation: Trend Micro Tick Novemb... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used RAR archives containing a legitimate executable and a lure document to execute malicious DLLs ... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has been known to side load DLLs with a valid version of Chrome with one of their tools.(Citation: FireE... |
Associated Software (75)
| ID | Name | Type | Context |
|---|---|---|---|
| S1041 | Chinoxy | Malware | [Chinoxy](https://attack.mitre.org/software/S1041) can use a digitally signed binary ("Logitech Bluetooth Wizard Host Process") to load its dll into m... |
| S0384 | Dridex | Malware | [Dridex](https://attack.mitre.org/software/S0384) can abuse legitimate Windows executables to side-load malicious DLL files.(Citation: Red Canary Drid... |
| S0664 | Pandora | Malware | [Pandora](https://attack.mitre.org/software/S0664) can use DLL side-loading to execute malicious payloads.(Citation: Trend Micro Iron Tiger April 2021... |
| S0070 | HTTPBrowser | Malware | [HTTPBrowser](https://attack.mitre.org/software/S0070) abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe... |
| S0109 | WEBC2 | Malware | Variants of [WEBC2](https://attack.mitre.org/software/S0109) achieve persistence by using DLL search order hijacking, usually by copying the DLL file ... |
| S0009 | Hikit | Malware | [Hikit](https://attack.mitre.org/software/S0009) has used [DLL](https://attack.mitre.org/techniques/T1574/001) to load <code>oci.dll</code> as a persi... |
| S0176 | Wingbird | Malware | [Wingbird](https://attack.mitre.org/software/S0176) side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.(Citation: Micros... |
| S0528 | Javali | Malware | [Javali](https://attack.mitre.org/software/S0528) can use DLL side-loading to load malicious DLLs into legitimate executables.(Citation: Securelist Br... |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) can use legitimate EXE files to sideload malicious DLLs.(Citation: Kaspersky LODEINFO OCT 2022) |
| S0128 | BADNEWS | Malware | [BADNEWS](https://attack.mitre.org/software/S0128) typically loads its DLL file into a legitimate signed Java or VMware executable.(Citation: Forcepoi... |
| S1227 | StarProxy | Malware | [StarProxy](https://attack.mitre.org/software/S1227) has been side-loaded by the legitimate, signed executable, IsoBurner.exe. (Citation: Zscaler) |
| S1232 | SplatDropper | Malware | [SplatDropper](https://attack.mitre.org/software/S1232) has leveraged legitimate binaries to conduct DLL side-loading.(Citation: Zscaler PAKLOG CorkLo... |
| S0182 | FinFisher | Malware | [FinFisher](https://attack.mitre.org/software/S0182) uses DLL side-loading to load malicious programs.(Citation: FinFisher Citation)(Citation: Microso... |
| S0398 | HyperBro | Malware | [HyperBro](https://attack.mitre.org/software/S0398) has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.(Cit... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has abused legitimate executables to side-load malicious DLLs.(Citation: CSIRT CTI MUSTANG PANDA ... |
| S0275 | UPPERCUT | Malware | [UPPERCUT](https://attack.mitre.org/software/S0275) has been sideloaded through a legitimately signed application from the JustSystems Corporation.(Ci... |
| S0153 | RedLeaves | Malware | [RedLeaves](https://attack.mitre.org/software/S0153) is launched through use of DLL search order hijacking to load a malicious dll.(Citation: FireEye ... |
| S9029 | IronWind | Malware | [IronWind](https://attack.mitre.org/software/S9029) has used DLL sideloading for execution.(Citation: Check Point Wirte NOV 2024) |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has side-loaded its malicious DLL file.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Me... |
| S0579 | Waterbear | Malware | [Waterbear](https://attack.mitre.org/software/S0579) has used DLL side loading to import and load a malicious DLL loader.(Citation: Trend Micro Waterb... |
References
- falcon.overwatch.team. (2022, December 30). 4 Ways Adversaries Hijack DLLs — and How CrowdStrike Falcon OverWatch Fights Back. Retrieved January 30, 2025.
- Dave Truman. (2024, June 24). Novel Technique Combination Used In IDATLOADER Distribution. Retrieved January 30, 2025.
- Gabor Szappanos. (2023, May 3). A doubled “Dragon Breath” adds new air to DLL sideloading attacks. Retrieved October 3, 2025.
- Hexacorn. (2013, December 8). Beyond good ol’ Run key, Part 5. Retrieved August 14, 2024.
- Microsoft. (2014, May 13). Microsoft Security Advisory 2269637: Insecure Library Loading Could Allow Remote Code Execution. Retrieved January 30, 2025.
- Microsoft. (2021, January 7). Manifests. Retrieved January 30, 2025.
- Microsoft. (2023, October 12). Dynamic-link library redirection. Retrieved January 30, 2025.
- OWASP. (n.d.). Binary Planting. Retrieved January 30, 2025.
- Suguru Ishimaru, Hajime Yanagishita, Yusuke Niwa. (2023, October 5). Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload. Retrieved October 3, 2025.
- Tom Fakterman, Chen Erlich, & Assaf Dahan. (2024, February 22). Intruders in the Library: Exploring DLL Hijacking. Retrieved January 30, 2025.
Frequently Asked Questions
What is T1574.001 (DLL)?
T1574.001 is a MITRE ATT&CK technique named 'DLL'. It belongs to the Stealth, Execution tactic(s). Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneous...
How can T1574.001 be detected?
Detection of T1574.001 (DLL) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1574.001?
There are 5 documented mitigations for T1574.001. Key mitigations include: Execution Prevention, Restrict Library Loading, Update Software, Audit, Application Developer Guidance.
Which threat groups use T1574.001?
Known threat groups using T1574.001 include: Chimera, Cinnamon Tempest, MuddyWater, Velvet Ant, RTM, Tonto Team, Patchwork, Whitefly.