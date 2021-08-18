In Microsoft Windows, programs can define which libraries are loaded at runtime by specifying a full path or using another mechanism such as a manifest. A program manifest is an external file or embedded resource within an application used to manage the names and versions of shared side-by-side assemblies to which the application should load upon execution. A program manifest can include DLL redirections, filenames or full paths. If a manifest refers to only a library filename, it is considered a weak reference and is vulnerable to a DLL side-loading attack.

If a weak reference is made to a library, Windows attempts to locate the DLL through a pre-defined search order. The first location that Windows will search is the directory from which the application is loaded.

A DLL side-loading attack is an adversarial technique that aims to take advantage of weak library references and the default Windows search order by placing a malicious DLL file masquerading as a legitimate DLL on a system, which will be automatically loaded by a legitimate program.

For more information regarding DLL side-loading, reference MITRE ATT&CK Technique T1574.002.