Restricting library loading involves implementing security controls to ensure that only trusted and verified libraries (DLLs, shared objects, etc.) are loaded into processes. Adversaries often abuse Dynamic-Link Library (DLL) Injection, DLL Search Order Hijacking, or LD_PRELOAD mechanisms to execute malicious code by forcing the operating system to load untrusted libraries. This mitigation can be implemented through the following measures:
Enforce Safe Library Loading Practices:
SafeDLLSearchMode
on Windows.LD_PRELOAD
and LD_LIBRARY_PATH
usage on Linux systems.Code Signing Enforcement:
Environment Hardening:
Audit and Monitor Library Loading:
Sysmon
on Windows to monitor for suspicious library loads.auditd
on Linux to monitor shared library paths and configuration file changes.Use Application Control Solutions:
Tools for Implementation
Windows-Specific Tools:
Linux-Specific Tools:
Cross-Platform Solutions:
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .008 | Boot or Logon Autostart Execution: LSASS Driver |
Ensure safe DLL search mode is enabled |
Enterprise | T1574 | Hijack Execution Flow |
Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at |
|
.001 | DLL |
Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.[2] Enable Safe DLL Search Mode to move the user's current folder later in the search order. This is included by default in modern versions of Windows; the associated Windows Registry key is located at |