DLL Hijacking
What is DLL Hijacking?
DLL HijackingAn attack that abuses Windows DLL search order to make a legitimate program load an attacker-controlled library instead of the intended one.
DLL hijacking (MITRE ATT&CK T1574.001) exploits the way Windows resolves dynamic-link libraries: when an application requests a DLL by name without a fully qualified path, the loader searches a predictable list of directories. An attacker who can write a malicious DLL into one of those higher-priority locations (the application directory, a writable PATH entry, or a side-by-side folder) gets their code executed in the context of a trusted, often signed process. The technique provides both execution and persistence, and bypasses many application-allowlist controls. Defenses include using fully qualified paths, enabling SafeDllSearchMode, applying WDAC/AppLocker rules, monitoring image loads with Sysmon event 7, and patching vulnerable installers.
● Examples
- 01
Dropping a malicious version.dll next to a signed installer that loads it from its own folder.
- 02
Planting a DLL in a writable PATH directory to be loaded by a system service.
● Frequently asked questions
What is DLL Hijacking?
An attack that abuses Windows DLL search order to make a legitimate program load an attacker-controlled library instead of the intended one. It belongs to the Attacks & Threats category of cybersecurity.
What does DLL Hijacking mean?
An attack that abuses Windows DLL search order to make a legitimate program load an attacker-controlled library instead of the intended one.
How does DLL Hijacking work?
DLL hijacking (MITRE ATT&CK T1574.001) exploits the way Windows resolves dynamic-link libraries: when an application requests a DLL by name without a fully qualified path, the loader searches a predictable list of directories. An attacker who can write a malicious DLL into one of those higher-priority locations (the application directory, a writable PATH entry, or a side-by-side folder) gets their code executed in the context of a trusted, often signed process. The technique provides both execution and persistence, and bypasses many application-allowlist controls. Defenses include using fully qualified paths, enabling SafeDllSearchMode, applying WDAC/AppLocker rules, monitoring image loads with Sysmon event 7, and patching vulnerable installers.
How do you defend against DLL Hijacking?
Defences for DLL Hijacking typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DLL Hijacking?
Common alternative names include: DLL search-order hijacking, DLL preloading.
● Related terms
- attacks№ 200
COM Hijacking
A persistence technique that redirects a Windows Component Object Model CLSID lookup to attacker code, executing it whenever a host process instantiates that object.
- attacks№ 054
AppInit_DLLs
Legacy Windows persistence technique that abuses a registry value so a specified DLL is loaded into every user-mode process linking user32.dll.
- attacks№ 515
IFEO Injection
A persistence and privilege-escalation technique that abuses the Windows Image File Execution Options registry key to run attacker code whenever a target executable launches.
- attacks№ 914
Registry Run Key Persistence
Classic Windows persistence technique that adds an entry under a Run or RunOnce registry key so a binary or script executes every time a user logs on.
- attacks№ 862
Process Injection
A family of evasion techniques in which an attacker runs malicious code inside the address space of a legitimate process to inherit its trust and identity.
- attacks№ 610
LD_PRELOAD Hijacking
Linux persistence and library-hijacking technique that uses the LD_PRELOAD environment variable or /etc/ld.so.preload to inject attacker code into dynamically linked processes.
● See also
- № 1186UAC Bypass
- № 639Mach-O
- № 809PE Executable Format