CAPEC-641: DLL Side-Loading
An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.
Last updated
Overview
CAPEC-641 (DLL Side-Loading) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The target must fail to verify the integrity of the DLL before using them.
Skills required
- High skill: Trick the operating system in loading a malicious DLL instead of a legitimate DLL.
Consequences
What a successful CAPEC-641 attack can achieve.
Execute Unauthorized Commands, Bypass Protection Mechanism
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-641.
- Prevent unknown DLLs from loading through using an allowlist policy.
- Patch installed applications as soon as new updates become available.
- Properly restrict the location of the software being used.
- Use of sxstrace.exe on Windows as well as manual inspection of the manifests.
- Require code signing and avoid using relative paths for resources.
Terminology & mappings
Mapped taxonomies
- ATTACK: Hijack Execution Flow:DLL Side-Loading (1574.002)
Frequently asked questions
Common questions about CAPEC-641.
- What is CAPEC-641?
- An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.
- How do you prevent CAPEC-641?
- Prevent unknown DLLs from loading through using an allowlist policy.
- What weaknesses does CAPEC-641 target?
- CAPEC-641 exploits 1 CWE weakness, including CWE-706 (Use of Incorrectly-Resolved Name or Reference).
- How severe is CAPEC-641?
- MITRE rates CAPEC-641 as High severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-641
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.