CAPEC-641: DLL Side-Loading

An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.

High

Typical severity

Per MITRE

Low

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

CAPEC-641 (DLL Side-Loading) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

CAPEC-641: DLL Side-Loading

Overview

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-641?

How do you prevent CAPEC-641?

What weaknesses does CAPEC-641 target?

How severe is CAPEC-641?

References

Defend against CAPEC-641

Overview

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

Related weaknesses

Related attack patterns

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-641?

How do you prevent CAPEC-641?

What weaknesses does CAPEC-641 target?

How severe is CAPEC-641?

References

Defend against CAPEC-641