This post explains what is a DLL side-loading attack in the context of IT security.
What is a DLL Side-loading Attack?
A Dynamic Linked Library (DLL) is a file that is used on Windows systems to group functions. By using DLLs, common functionality can be isolated and re-usability is enabled.
As DLL are particular for Windows OS, DLL side-loading attack apply only to this OS.
In Windows, programs can define which libraries are loaded at runtime by specifying a full path or using another mechanism such as a manifest. A program manifest is an external file within an application used to manage the names and versions of DLLs that applications load on execution.
A program manifest can include DLL redirections, filenames or full paths. If a manifest refers to only a library filename, it is considered a weak reference and is vulnerable to a DLL side-loading attack. If a manifest refers to only a library filename, it is considered a weak reference and is vulnerable to a DLL side-loading attack.
A DLL side-loading attack is an adversarial technique that aims to take advantage of weak library references and the default Windows search order by placing a malicious DLL file masquerading as a legitimate DLL on a system, which will be automatically loaded by a legitimate program.
Examples of real DLL side-loading attacks
This attack was used in the APT against DoD of United Stated disclosed on July 2020, that was allegedly performed by two Chinese hackers LI Xiaoyu and DONG Jiazhi. This is explained on Darknet Diaries podcast #103 “Cloud Hopper”.
External references
- “Hunting for Evidence of DLL Side-Loading With PowerShell and Sysmon“; John Dwyer; securityintelligence.com