MITRE ATT&CK Technique
Description
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-03-13T19:41:37.908Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may execute their own malicious payloads by '
'side-loading DLLs. Similar to '
'[DLL](https://attack.mitre.org/techniques/T1574/001), '
'side-loading involves hijacking which DLL a program loads. '
'But rather than just planting the DLL within the search order '
'of a program then waiting for the victim application to be '
'invoked, adversaries may directly side-load their payloads by '
'planting then invoking a legitimate application that executes '
'their payload(s).\n'
'\n'
'Side-loading takes advantage of the DLL search order used by '
'the loader by positioning both the victim application and '
'malicious payload(s) alongside each other. Adversaries likely '
'use side-loading as a means of masking actions they perform '
'under a legitimate, trusted, and potentially elevated system '
'or software process. Benign executables used to side-load '
'payloads may not be flagged during delivery and/or execution. '
'Adversary payloads may also be encrypted/packed or otherwise '
'obfuscated until loaded into the memory of the trusted '
'process.(Citation: FireEye DLL Side-Loading)',
'external_references': [{'external_id': 'T1574.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1574/002'},
{'description': 'Amanda Steward. (2014). FireEye DLL '
'Side-Loading: A Thorn in the Side of '
'the Anti-Virus Industry. Retrieved '
'March 13, 2020.',
'source_name': 'FireEye DLL Side-Loading',
'url': 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf'}],
'id': 'attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:32.628Z',
'name': 'DLL Side-Loading',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '2.1'}