Restrict Library Loading

Restricting library loading involves implementing security controls to ensure that only trusted and verified libraries (DLLs, shared objects, etc.) are loaded into processes. Adversaries often abuse Dynamic-Link Library (DLL) Injection, DLL Search Order Hijacking, or LD_PRELOAD mechanisms to execute malicious code by forcing the operating system to load untrusted libraries. This mitigation can be implemented through the following measures:

Enforce Safe Library Loading Practices:

  • Enable SafeDLLSearchMode on Windows.
  • Restrict LD_PRELOAD and LD_LIBRARY_PATH usage on Linux systems.

Code Signing Enforcement:

  • Require digital signatures for all libraries loaded into processes.
  • Use tools like Signtool, and WDAC to enforce signed DLL execution.

Environment Hardening:

  • Secure library paths and directories to prevent adversaries from placing rogue libraries.
  • Monitor user-writable directories and system configurations for unauthorized changes.

Audit and Monitor Library Loading:

  • Enable Sysmon on Windows to monitor for suspicious library loads.
  • Use auditd on Linux to monitor shared library paths and configuration file changes.

Use Application Control Solutions:

  • Implement AppLocker, WDAC, or SELinux to allow only trusted libraries.

Tools for Implementation

Windows-Specific Tools:

  • AppLocker: Application whitelisting for DLLs.
  • Windows Defender Application Control (WDAC): Restrict unauthorized library execution.
  • Signtool: Verify and enforce code signing.
  • Sysmon: Monitor DLL load events (Event ID 7).

Linux-Specific Tools:

  • auditd: Monitor changes to library paths and critical files.
  • SELinux/AppArmor: Define policies to restrict library loading.
  • ldconfig and chattr: Secure LD configuration files and prevent unauthorized modifications.

Cross-Platform Solutions:

  • Wazuh or OSSEC: File integrity monitoring for library changes.
  • Tripwire: Detect and alert on unauthorized library modifications.
ID: M1044
Version: 1.1
Created: 11 June 2019
Last Modified: 18 December 2024

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1547 .008 Boot or Logon Autostart Execution: LSASS Driver

Ensure safe DLL search mode is enabled HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode to mitigate risk that lsass.exe loads a malicious code library. [1]

Enterprise T1574 Hijack Execution Flow

Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.

Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before local directory DLLs (e.g. a user's home directory)

The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode[2][3]

.001 DLL

Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.[2]

Enable Safe DLL Search Mode to move the user's current folder later in the search order. This is included by default in modern versions of Windows; the associated Windows Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode.[3]

References