MITRE ATT&CK Technique
Defense Evasion T1073
Description

Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: MSDN Manifests) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. (Citation: Stewart 2014) Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.

Supported Platforms
Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2017-05-31T21:30:58.007Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Programs may specify DLLs that are loaded at runtime. '
                'Programs that improperly or vaguely specify a required DLL '
                'may be open to a vulnerability in which an unintended DLL is '
                'loaded. Side-loading vulnerabilities specifically occur when '
                'Windows Side-by-Side (WinSxS) manifests (Citation: MSDN '
                'Manifests) are not explicit enough about characteristics of '
                'the DLL to be loaded. Adversaries may take advantage of a '
                'legitimate program that is vulnerable to side-loading to load '
                'a malicious DLL. (Citation: Stewart 2014)\n'
                '\n'
                'Adversaries likely use this technique as a means of masking '
                'actions they perform under a legitimate, trusted system or '
                'software process.',
 'external_references': [{'external_id': 'T1073',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1073'},
                         {'external_id': 'CAPEC-641',
                          'source_name': 'capec',
                          'url': 'https://capec.mitre.org/data/definitions/641.html'},
                         {'description': 'Microsoft. (n.d.). Manifests. '
                                         'Retrieved June 3, 2016.',
                          'source_name': 'MSDN Manifests',
                          'url': 'https://msdn.microsoft.com/en-us/library/aa375365'},
                         {'description': 'Stewart, A. (2014). DLL '
                                         'SIDE-LOADING: A Thorn in the Side of '
                                         'the Anti-Virus Industry. Retrieved '
                                         'November 12, 2014.',
                          'source_name': 'Stewart 2014',
                          'url': 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf'}],
 'id': 'attack-pattern--b2001907-166b-4d71-bb3c-9d26c871de09',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:49:14.455Z',
 'name': 'DLL Side-Loading',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About