Security researchers have detailed a new variant of a dynamic link library (DLL) search sequence hijacking technique that threat actors can use to bypass security and execute malicious code on systems running Microsoft Windows 10 and Windows 11.
In a new report shared exclusively with The Hacker News, cybersecurity firm Security Joes said the method “exploits common executable files in trusted WinSxS folders and is exploited through classic DLL search sequence hijacking techniques. them”.
By doing so, it allows attackers to eliminate the need for elevated privileges when attempting to run malicious code on an infected computer and introduce potentially vulnerable binaries into the attack chain, as has been observed in the past .
As the name suggests, DLL search order hijacking involves manipulating the search order used to load a DLL in order to execute a malicious payload for the purposes of defense evasion, persistence, and privilege escalation.
Specifically, attacks that exploit this technique single out applications that do not specify the full path to a required library, instead relying on a predefined search sequence to find the necessary DLL on disk.
Threat actors exploit this behavior by moving legitimate system binaries into non-standard directories containing a malicious DLL named after a legitimate DLL in order to obtain a library containing the attack code to replace the latter.
This works, in turn, because the process calling the DLL will first search in the directory in which it executes, and then recursively iterate other locations in a specific order to find and load the resource in question. In other words, the search sequence is as follows –
- Directory to launch the application
- Folder “C:\Windows\System32”
- Folder “C:\Windows\System”
- Folder “C:\Windows”
- current working directory
- Directories listed in the system PATH environment variable
- Directories listed in the user’s PATH environment variable
The novel design by Security Joes targets files located in the trusted “C:\Windows\WinSxS” folder. WinSxS is the abbreviation of Windows side by side and is a key Windows component used for operating system customization and updates to ensure compatibility and integrity.
“This approach represents a novel application in network security: Traditionally, attackers have relied heavily on well-known techniques such as DLL search order hijacking, a method of manipulating how Windows applications load external libraries and executables,” Ido Naor, co-founder and CEO of Security Joes, said in a statement shared with The Hacker News.
“Our findings deviate from this path and reveal a subtler, more covert method of exploitation.”
In a nutshell, the idea is to look for vulnerable binaries (for example, ngentask.exe and aspnet_wp.exe) in a WinSxS folder and strategically place a custom DLL with the same name as that folder. Combine this with regular DLL search order hijacking methods. Place a legitimate DLL into a directory controlled by the actor to enable code execution.
Therefore, simply executing the vulnerable file in the WinSxS folder by setting the custom folder containing the malicious DLL as the current directory is enough to trigger the execution of the DLL content, without the need to copy the executable file from the WinSxS folder into it .
Security Joes warns that there may be other binary files in the WinSxS folder that are susceptible to this type of DLL search order hijacking, so organizations need to take adequate precautions to mitigate the exploit method in their environment.
“Examines parent-child relationships between processes, paying special attention to trusted binaries,” the company said. “Closely monitors all activity performed by binary files in the WinSxS folder, focusing on network communications and file operations.”
1 Comment
I like this site it’s a master piece! Glad I observed this ohttps://69v.topn google.Raise blog range