Shared Modules

Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.[1]

The module loader can load DLLs:

  • via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;

  • via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);

  • via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;

  • via <file name="filename.extension" loadFrom="fully-qualified or relative pathname"> in an embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.

Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.

ID: T1129
Sub-techniques:  No sub-techniques
Tactic: Execution
Platforms: Windows
Contributors: Stefan Kanthak
Version: 2.1
Created: 31 May 2017
Last Modified: 19 April 2022

Procedure Examples

ID Name Description
S0373 Astaroth

Astaroth uses the LoadLibraryExW() function to load additional modules. [2]

S0438 Attor

Attor's dispatcher can execute additional plugins by loading the respective DLLs.[3]

S0520 BLINDINGCAN

BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine.[4]

S0415 BOOSTWRITE

BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.[5]

S0673 DarkWatchman

DarkWatchman can load DLLs.[6]

S0567 Dtrack

Dtrack contains a function that calls LoadLibrary and GetProcAddress.[7]

S0661 FoggyWeb

FoggyWeb's loader can call the load() function to load the FoggyWeb dll into an Application Domain on a compromised AD FS server.[8]

S0032 gh0st RAT

gh0st RAT can load DLLs into memory.[9]

S0203 Hydraq

Hydraq creates a backdoor through which remote attackers can load and call DLL functions.[10][11]

S0607 KillDisk

KillDisk loads and executes functions from a DLL.[12]

S0455 Metamorfo

Metamorfo had used AutoIt to load and execute the DLL payload.[13]

S0501 PipeMon

PipeMon has used call to LoadLibrary to load its installer. PipeMon loads its modules using reflective loading or custom shellcode.[14]

S0196 PUNCHBUGGY

PUNCHBUGGY can load a DLL using the LoadLibrary API.[15]

S0603 Stuxnet

Stuxnet calls LoadLibrary then executes exports from a DLL.[16]

S0467 TajMahal

TajMahal has the ability to inject the LoadLibrary call template DLL into running processes.[17]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Identify and block potentially malicious software executed through this technique by using application control tools capable of preventing unknown DLLs from being loaded.

Detection

ID Data Source Data Component
DS0011 Module Module Load
DS0009 Process OS API Execution

Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths.

Correlation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.

References