{
	"id": "dd547101-6711-4171-80a1-82d3c7b4f4a5",
	"created_at": "2026-04-06T00:10:23.208168Z",
	"updated_at": "2026-04-10T03:20:56.522787Z",
	"deleted_at": null,
	"sha1_hash": "bd274ed974a80e8cca08f53422bec8f4fa5b6e01",
	"title": "CAPEC-471: Search Order Hijacking (Version 3.9)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75642,
	"plain_text": "CAPEC-471: Search Order Hijacking (Version 3.9)\r\nArchived: 2026-04-05 21:22:58 UTC\r\nCommon Attack Pattern Enumeration and Classification\r\nA Community Resource for Identifying and Understanding Attacks\r\nHome\r\nSearch\r\nAttack Pattern ID: 471\r\nAbstraction: Detailed\r\n Description\r\nAn adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loa\r\ndifferent libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library\r\n Typical Severity\r\nMedium\r\n Relationships\r\nThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildO\r\nNature Type\r\nChildOf Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an atta\r\nThis table shows the views that this attack pattern belongs to and top level categories within that view.\r\nView Name\r\nDomains of Attack\r\nMechanisms of Attack\r\n Execution Flow\r\nExplore\r\n1. Identify target general susceptibility: An attacker uses an automated tool or manually finds whether the target application uses dynamically\r\nTechniques\r\nThe attacker uses a tool such as the OSX \"otool\" utility or manually probes whether the target application uses dynamically linked libraries\r\nThe attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the m\r\nExperiment\r\nhttps://capec.mitre.org/data/definitions/471.html\r\nPage 1 of 3\n\n1. Craft malicious libraries: The attacker uses knowledge gained in the Explore phase to craft malicious libraries that they will redirect the targ\r\nTechniques\r\nThe attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay\r\nExploit\r\n1. Redirect the access to libraries to the malicious libraries: The attacker redirects the target to the malicious libraries they crafted in the Exp\r\nTechniques\r\nThe attacker modifies the entries in the configuration files pointing to the malicious libraries they crafted.\r\nThe attacker leverages symlink/timing issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-132.\r\nThe attacker leverages file search path order issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-38.\r\n Prerequisites\r\nAttacker has a mechanism to place its malicious libraries in the needed location on the file system.\r\n Skills Required\r\n[Level: Medium]\r\nAbility to create a malicious library.\r\n Mitigations\r\nDesign: Fix the Windows loading process to eliminate the preferential search order by looking for DLLs in the precise location where they are exp\r\nDesign: Sign system DLLs so that unauthorized DLLs can be detected.\r\n Example Instances\r\nFor instance, an attacker with access to the file system may place a malicious ntshrui.dll in the C:\\Windows directory. This DLL normally resides i\r\nloading explorer.exe process, the DLL supplied by the attacker will be found first and thus loaded in lieu of the legitimate DLL. Since explorer.exe\r\nmacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries c\r\nthe program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will a\r\n Taxonomy Mappings\r\nCAPEC mappings to ATT\u0026CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT\u0026CK mappings. Inherit\r\nRelevant to the ATT\u0026CK taxonomy mapping (also see parent)\r\nEntry ID Entry Name\r\n1574.001 Hijack Execution Flow:DLL search order hijacking\r\n1574.004 Hijack Execution Flow: Dylib Hijacking\r\n1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking\r\n References\r\n[REF-409] \"M Trends Report\". Mandiant. 2011. \u003chttps://www.mandiant.com\u003e.\r\n Content History\r\nSubmissions\r\nSubmission Date Submitter\r\n2014-06-23\r\n(Version 2.6)\r\nCAPEC Content Team\r\nModifications\r\nhttps://capec.mitre.org/data/definitions/471.html\r\nPage 2 of 3\n\nModification Date Modifier\r\n2015-11-09\r\n(Version 2.7)\r\nCAPEC Content Team\r\nUpdated References\r\n2018-07-31\r\n(Version 2.12)\r\nCAPEC Content Team\r\nUpdated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Des\r\n2019-04-04\r\n(Version 3.1)\r\nCAPEC Content Team\r\nUpdated Taxonomy_Mappings\r\n2020-07-30\r\n(Version 3.3)\r\nCAPEC Content Team\r\nUpdated Execution_Flow, Taxonomy_Mappings\r\n2020-12-17\r\n(Version 3.4)\r\nCAPEC Content Team\r\nUpdated Mitigations\r\n2021-06-24\r\n(Version 3.5)\r\nCAPEC Content Team\r\nUpdated Taxonomy_Mappings\r\n2022-09-29\r\n(Version 3.8)\r\nCAPEC Content Team\r\nUpdated Taxonomy_Mappings\r\nPrevious Entry Names\r\nChange Date Previous Entry Name\r\n2018-07-31\r\n(Version 2.12)\r\nDLL Search Order Hijacking\r\nMore information is available — Please select a different filter.\r\nPage Last Updated or Reviewed: July 31, 2018\r\nSource: https://capec.mitre.org/data/definitions/471.html\r\nhttps://capec.mitre.org/data/definitions/471.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://capec.mitre.org/data/definitions/471.html"
	],
	"report_names": [
		"471.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434223,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd274ed974a80e8cca08f53422bec8f4fa5b6e01.pdf",
		"text": "https://archive.orkl.eu/bd274ed974a80e8cca08f53422bec8f4fa5b6e01.txt",
		"img": "https://archive.orkl.eu/bd274ed974a80e8cca08f53422bec8f4fa5b6e01.jpg"
	}
}