What is DLL side-loading?

DLL side-loading is a popular technique used by threat actors to circumvent security solutions and trick the Windows operating system into executing malicious code on the target endpoint.

In this blog post, we’ll explore how DLL side-loading works, why it’s an effective attack vector, and provide practical mitigation tips you can use to secure your systems against this growing threat. We’ll also look at why the Windows Downloads folder represents a particular risk, albeit one that can be easily mitigated.

What is DLL side-loading?

Dynamic Link Library, or DLL for short, is Microsoft’s implementation of the shared library concept. These libraries, which typically sport the .dll file extension, contain code and data that can be used by multiple programs at the same time.

Unlike an EXE file, DLL files cannot be directly executed. Instead, an application will load DLL files when needed to carry out specific tasks that may not be a core function of the original program. This reduces the amount of code that needs to be written, simplifies maintenance, and saves disk space.

Unfortunately, the way in which Windows searches for and loads DLLs can also be exploited by threat actors. When an application requires a DLL to run, Windows attempts to load the DLL from either a full path defined by the application or via a manifest file. A manifest is essentially a plain text file that contains information about the dependencies and configuration requirements of an application or component. Among other things, it specifies which DLLs should be loaded at runtime by the associated program.

However, problems arise when the manifest file isn’t specific enough about the DLLs that the application should load or the file paths that the DLLs should be loaded from. Adversaries can exploit poorly configured manifest files by placing a malicious DLL with the same name as a legitimate DLL in a location where an application will load it before the DLL that should be loaded. The location for the malicious DLL can be determined because, unless otherwise specified, Windows uses a set search order for DLLs:

  1. The directory from which the application loaded
  2. The system directory
  3. The 16-bit system directory
  4. The Windows directory
  5. The current working directory (CWD)
  6. The directories that are listed in the PATH environment variable

A successful side-loading attack may allow the attacker to execute code on the system, escalate privileges, or steal sensitive information.

Why do threat actors use DLL side-loading?

For threat actors, the main advantage of DLL side-loading revolves around detection evasion. Because the malicious code is executed within the context of a legitimate application, it can evade detection by some security mechanisms that are looking for suspicious activities or processes. This increases the chances of an attacker being able to carry out malicious activity without being detected.

Ransomware incidents leveraging DLL side-loading

Over the years, a number of ransomware operators have used DLL side-loading to execute successful attacks. Some examples include:

Mitigating DLL side-loading risks

Most DLL side-loading attacks require threat actors to have write access to a directory where the malicious binary is searched for and loaded from, and, therefore, mitigation begins with securing the perimeter through the use of all the regular cybersecurity best practices, including:

Endpoint detection and response (EDR) tools can also play an important role in mitigating DLL side-loading attacks, particularly in large organizations with many endpoints. Emsisoft Endpoint Detection and Response provides continuous visibility of an organization’s endpoints, along with valuable insight into potential threats – including DLL side-loading.

The Windows Downloads folder

As noted above, Windows searches for DLLs in a set order, and the first location to be checked is the folder from which an application is loaded. This means that when a new application is downloaded and run from within the Downloads folder, it may load any malicious DLL that is also in that folder. The Downloads folder is also the easiest folder for an attacker to place a malicious DLL in, a user simply needs to be tricked into downloading it.

Fortunately, the risk of side-loading from the Downloads folder can be easily mitigated simply by ensuring the Downloads folder is kept empty except for the most recent download. Similarly, moving installers to the desktop prior to running them will also avoid any malicious DLL in the Downloads folder being loaded.

What developers can do

Software developers represent the first line of defense against DLL side-loading attacks. The following practices may be useful in mitigating DLL side-loading:

Specify the full path to the DLL: When loading a DLL, developers can specify the full path to the DLL instead of just the DLL name. This ensures that the correct DLL is loaded and prevents the system from searching for and loading a potentially malicious DLL.

Use absolute paths: Developers should use absolute paths instead of relative paths when specifying the location of a DLL. Relative paths can be manipulated by attackers to trick the application into loading a malicious DLL from a different directory.

Implement DLL signature verification: Developers can sign their DLLs using a digital signature and verify the signature before loading the DLL. While not infallible, this does provide a layer of assurance that the DLL is a legitimate component and has not been tampered with.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

For more information, be sure to check out Microsoft’s best practices for securing the loading of libraries.

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next