1. Home
  2. Mitigations
  3. Restrict Library Loading

Restrict Library Loading

Restricting library loading involves implementing security controls to ensure that only trusted and verified libraries (DLLs, shared objects, etc.) are loaded into processes. Adversaries often abuse Dynamic-Link Library (DLL) Injection, DLL Search Order Hijacking, or LD_PRELOAD mechanisms to execute malicious code by forcing the operating system to load untrusted libraries. This mitigation can be implemented through the following measures:

Enforce Safe Library Loading Practices:

  • Enable SafeDLLSearchMode on Windows.
  • Restrict LD_PRELOAD and LD_LIBRARY_PATH usage on Linux systems.

Code Signing Enforcement:

  • Require digital signatures for all libraries loaded into processes.
  • Use tools like Signtool, and WDAC to enforce signed DLL execution.

Environment Hardening:

  • Secure library paths and directories to prevent adversaries from placing rogue libraries.
  • Monitor user-writable directories and system configurations for unauthorized changes.

Audit and Monitor Library Loading:

  • Enable Sysmon on Windows to monitor for suspicious library loads.
  • Use auditd on Linux to monitor shared library paths and configuration file changes.

Use Application Control Solutions:

  • Implement AppLocker, WDAC, or SELinux to allow only trusted libraries.

Tools for Implementation

Windows-Specific Tools:

  • AppLocker: Application whitelisting for DLLs.
  • Windows Defender Application Control (WDAC): Restrict unauthorized library execution.
  • Signtool: Verify and enforce code signing.
  • Sysmon: Monitor DLL load events (Event ID 7).

Linux-Specific Tools:

  • auditd: Monitor changes to library paths and critical files.
  • SELinux/AppArmor: Define policies to restrict library loading.
  • ldconfig and chattr: Secure LD configuration files and prevent unauthorized modifications.

Cross-Platform Solutions:

  • Wazuh or OSSEC: File integrity monitoring for library changes.
  • Tripwire: Detect and alert on unauthorized library modifications.
ID: M1044
Version: 1.1
Created: 11 June 2019
Last Modified: 18 December 2024
Version Permalink
Enterprise Layer
download view

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1547 .008 Boot or Logon Autostart Execution: LSASS Driver

Ensure safe DLL search mode is enabled HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode to mitigate risk that lsass.exe loads a malicious code library. [1]
Enterprise T1574 Hijack Execution Flow

Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.

Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before local directory DLLs (e.g. a user's home directory)

The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode[2][3]
.001 DLL

Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.[2]

Enable Safe DLL Search Mode to move the user's current folder later in the search order. This is included by default in modern versions of Windows; the associated Windows Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode.[3]

References

  1. Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.
  2. Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.
  1. Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.