DLL Search Order Hijacking (T1038)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • DLL Search Order Hijacking

Associated Tactics

  • Persistence
  • Privilege Escalation
  • Defense Evasion

Persistence (TA0003)

The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

View on ATT&CK

Procedure Examples

Description Source(s)
capec
Microsoft. (n.d.). Dynamic-Link Library Search Order. Retrieved November 30, 2014. Microsoft DLL Search
OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016. OWASP Binary Planting
Microsoft. (2010, August 22). Microsoft Security Advisory 2269637 Released. Retrieved December 5, 2014. Microsoft 2269637
Microsoft. (n.d.). Dynamic-Link Library Redirection. Retrieved December 5, 2014. Microsoft DLL Redirection
Microsoft. (n.d.). Manifests. Retrieved December 5, 2014. Microsoft Manifests
Mandiant. (2010, August 31). DLL Search Order Hijacking Revisited. Retrieved December 5, 2014. Mandiant Search Order