PromptRiskDBThreat intelligence atlas
ATT&CK AI Context

M1044 - Restrict Library Loading

Restricting library loading involves implementing security controls to ensure that only trusted and verified libraries (DLLs, shared objects, etc.) are loaded into processes. Adversaries often abuse Dynamic-Link Library (DLL) Injection, DLL Search Order Hijacking, or LD_PRELOAD mechanisms to execute malicious code by forcing the operating system to load untrusted libraries. This mitigation can be implemented throu...

View detailsRead context
ATT&CK AI Context

Record summary

A quick snapshot of what this page covers.

Records1Records included in this view.
SourcePublicBuilt from public source data.
ModeStaticPrepared as a ready-to-read page.

ATT&CK object

The broader cybersecurity technique connected to these AI records.

Restricting library loading involves implementing security controls to ensure that only trusted and verified libraries (DLLs, shared objects, etc.) are loaded into processes. Adversaries often abuse Dynamic-Link Library (DLL) Injection, DLL Search Order Hijacking, or LD_PRELOAD mechanisms to execute malicious code by forcing the operating system to load untrusted libraries. This mitigation can be implemented through the following measures:

Enforce Safe Library Loading Practices:

  • Enable SafeDLLSearchMode on Windows.
  • Restrict LD_PRELOAD and LD_LIBRARY_PATH usage on Linux systems.

Code Signing Enforcement:

  • Require digital signatures for all libraries loaded into processes.
  • Use tools like Signtool, and WDAC to enforce signed DLL execution.

Environment Hardening:

  • Secure library paths and directories to prevent adversaries from placing rogue libraries.
  • Monitor user-writable directories and system configurations for unauthorized changes.

Audit and Monitor Library Loading:

  • Enable Sysmon on Windows to monitor for suspicious library loads.
  • Use auditd on Linux to monitor shared library paths and configuration file changes.

Use Application Control Solutions:

  • Implement AppLocker, WDAC, or SELinux to allow only trusted libraries.

*Tools for Implementation*

Windows-Specific Tools:

  • AppLocker: Application whitelisting for DLLs.
  • Windows Defender Application Control (WDAC): Restrict unauthorized library execution.
  • Signtool: Verify and enforce code signing.
  • Sysmon: Monitor DLL load events (Event ID 7).

Linux-Specific Tools:

  • auditd: Monitor changes to library paths and critical files.
  • SELinux/AppArmor: Define policies to restrict library loading.
  • ldconfig and chattr: Secure LD configuration files and prevent unauthorized modifications.

Cross-Platform Solutions:

  • Wazuh or OSSEC: File integrity monitoring for library changes.
  • Tripwire: Detect and alert on unauthorized library modifications.
ATT&CK ID
M1044
STIX ID
course-of-action--e8242a33-481c-4891-af63-4cf3e4cf6aff
Name
Restrict Library Loading
Connected AI records
1

Connected AI records

AI security records connected to this cybersecurity technique.

Source

Where this page information comes from.