Security researchers wrote a detailed report on a new variant of a technique DLL Search Order Hijacking,which could be used by cyber criminals to bypass security mechanisms and achieve malicious code execution on systems running Microsoft Windows 10 and Windows 11.
How this variant of DLL Search Order Hijacking works
The approach “exploits executables commonly found in the trusted WinSxS folder and exploits them through the classic DLL Search Order Hijacking technique“, has declared security firm Security Joes in a new report exclusively shared with The Hacker News.
Doing so allows opponents to eliminate the need for elevated privileges (i.e. the famous administrator privileges) when trying to execute malicious code on a compromised machine and introduce potentially vulnerable binaries into the attack chain, as already observed in the past.
The Search Order Hijacking DLL, as the name suggests, involves manipulating the search order used to load the DLLs in order to execute Malicious payloads for defense evasion purposespersistence and privilege escalation.
In detail, The attacks that exploit the technique detect applications that do not specify the full path to the libraries they need and instead, they rely on a predefined search order to locate the necessary DLLs on the disk.
Cybercriminals, therefore, they take advantage of this behavior by moving legitimate system binaries into non-standard directories that include malicious DLLs named like the legitimate ones, so that the library containing the attack code is selected instead of the latter.
This works because the process calling the DLL will look in the directory it is running from before recursively iterating through other locations in a specific order to locate and load the resource in question; to put it simply, the search order is as follows:
- The directory from which the application is launched
- Folder “C:WindowsSystem32“
- Folder “C:WindowsSystem“
- Folder “C:Windows“
- The current working directory
- The directories listed in the System PATH environment variable
- The directories listed in the The user's PATH environment variable
Security Joes' new twist targets files located in the trusted “C:WindowsWinSxS” folder. Short for Windows side-by-side, WinSxS is a critical component of Windows used for customizing and updating the operating system to ensure compatibility and integrity.
“This approach represents a new application in cybersecurity: traditionally, attackers have largely relied on well-known techniques such as DLL Search Order Hijacking, a method that manipulates how Windows applications load external libraries and executables” said Ido Naor, co-founder and CEO of Security Joes, in a statement.
Security CEO Jones then added: “Our discovery deviates from this path, revealing a more subtle and hidden method of exploitation.”
The idea, in a nutshell, is to locate vulnerable binaries in the WinSxS folder (for example, ngentask.exe and aspnet_wp.exe) and combine them with regular DLL Search Order Hijacking methods by strategically placing a custom DLL with the same name as the legitimate DLL in an actor-controlled directory to achieve code execution.
Consequentially, simply run a vulnerable file in the WinSxS folder by setting the custom folder containing the fraudulent DLL as the current directory is sufficient to enable execution of the DLL contents without having to copy the executable from the WinSxS folder.
Security Joes has warned that there may be other binaries in the WinSxS folder that are susceptible to this type of DLL Search Order Hijacking, requiring organizations to take appropriate precautions to mitigate the method of exploitation within their environments.
“Examine relationships between parent-child processes, with a specific focus on trusted binaries“the company said. “Closely monitor all activity performed by binaries residing in the WinSxS folder, focusing on both network communications and file operations.“
#DLL #Search #Order #Hijacking #variant #Windows