DLL Sideloading: Unseen by Security Solutions
DLL Sideloading: Unseen by Security Solutions
The term "sideloading" is mostly used today in the context of installing apps from sources outside of official app stores on smartphones. However, in the realm of IT security, it also describes a technique that is gaining popularity in the world of malware for Windows operating systems. In this article, we will give you a brief overview of the attack technique itself, its consequences and appropriate protective measures.
On the Mitre ATT&CK website, which categorizes the technique, there is a list of examples illustrating how DLL sideloading has been exploited by various attack groups in the past.
What Is DLL-Sideloading?
"Sideloading," also known as "DLL- sideloading," is a technique that has gained significance in the field of malware in recent years. It is closely related to "DLL hijacking" or "DLL search order hijacking," with with attackers exploit the way applications on Windows search for Dynamically Linked Libraries (DLLs). In DLL-sideloading, a manipulated DLL is deliberately placed in the same directory as the target application. Windows prioritizes the search in this directory, causing the malicious DLL to be executed. This tactic is often abused to use legitimate applications as carriers for malware.How DLL-Sideloading Helps Attackers Bypass Security Solutions
Through DLL-sideloading, attackers can effectively bypass security solutions because the executable file (.exe) of the application is trusted (widely distributed and often digitally signed) and is usually classified as safe by security solutions. Even during the manual examination of potential malware, the actual application is primarily scrutinized, rather than the dependencies loaded by the application, such as libraries. Therefore, the likelihood of being classified as a false positive increases for attackers, allowing them to evade extensive investigation of their activities.Relevance of DLL Sideloading
DLL sideloading poses a risk since many applications can potentially be misused. Typically, there are no checks performed by the applications to confirm that the loaded library is indeed the correct one. If it becomes publicly known that an application is being exploited by attackers, a new vulnerable application can quickly be discovered.On the Mitre ATT&CK website, which categorizes the technique, there is a list of examples illustrating how DLL sideloading has been exploited by various attack groups in the past.
Protective Measures
To protect against DLL-sideloading, the following measures can be taken:- Implementation of Endpoint Detection and Response (EDR) solutions: Most EDR solutions include rules to detect sideloading. However, the mechanism of how detection occurs varies by vendor. Some security solutions implement specific rules that correlate various telemetry data, while others focus particularly on the most commonly abused DLLs from Microsoft.
- Hardening of Endpoints: By using Windows Defender Application Control (WDAC) or AppLocker, the execution of applications can be controlled and limited. Depending on individual requirements, Microsoft recommends either WDAC, AppLocker, or a combination of both.
Conclusion
DLL-sideloading is a technique that allows attackers to bypass security measures and infiltrate networks. Therefore, it is essential for organizations to be aware of the risks and to implement appropriate measures to protect their IT infrastructure. Only through a combination of effective EDR solutions, hardening strategies, and employee training can the dangers posed by such techniques be mitigated.