Restrict Library Loading - M1044 (e8242a33-481c-4891-af63-4cf3e4cf6aff)
Restricting library loading involves implementing security controls to ensure that only trusted and verified libraries (DLLs, shared objects, etc.) are loaded into processes. Adversaries often abuse Dynamic-Link Library (DLL) Injection, DLL Search Order Hijacking, or LD_PRELOAD mechanisms to execute malicious code by forcing the operating system to load untrusted libraries. This mitigation can be implemented through the following measures:
Enforce Safe Library Loading Practices:
- Enable
SafeDLLSearchModeon Windows. - Restrict
LD_PRELOADandLD_LIBRARY_PATHusage on Linux systems.
Code Signing Enforcement:
- Require digital signatures for all libraries loaded into processes.
- Use tools like Signtool, and WDAC to enforce signed DLL execution.
Environment Hardening:
- Secure library paths and directories to prevent adversaries from placing rogue libraries.
- Monitor user-writable directories and system configurations for unauthorized changes.
Audit and Monitor Library Loading:
- Enable
Sysmonon Windows to monitor for suspicious library loads. - Use
auditdon Linux to monitor shared library paths and configuration file changes.
Use Application Control Solutions:
- Implement AppLocker, WDAC, or SELinux to allow only trusted libraries.
Tools for Implementation
Windows-Specific Tools:
- AppLocker: Application whitelisting for DLLs.
- Windows Defender Application Control (WDAC): Restrict unauthorized library execution.
- Signtool: Verify and enforce code signing.
- Sysmon: Monitor DLL load events (Event ID 7).
Linux-Specific Tools:
- auditd: Monitor changes to library paths and critical files.
- SELinux/AppArmor: Define policies to restrict library loading.
- ldconfig and chattr: Secure LD configuration files and prevent unauthorized modifications.
Cross-Platform Solutions:
- Wazuh or OSSEC: File integrity monitoring for library changes.
- Tripwire: Detect and alert on unauthorized library modifications.