Security News New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,074
Content source
https://thehackernews.com/2024/01/new-variant-of-dll-search-order.html
Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11.

The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique," cybersecurity firm Security Joes said in a new report exclusively shared with The Hacker News.
Click to expand...
 
  • Like
  • +Reputation
Reactions: Xtwillight, oldschool, Nevi and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
It can be especially dangerous when combined with DLL dropped via HTML Smuggling. Next, the attacker may convince the user to download and execute an innocent loader (EXE file, script, document, etc.) that executes a (vulnerable) legal system executable from the WinSxS system folder. The loader does not do anything wrong/malicious, so it can hardly be detected by the AV. In the home environment, the attacks via DLL hijacking have an advantage when the AV does not check DLLs (loaded by benign EXEs) against the cloud backend.
 
Last edited:
  • Like
  • +Reputation
Reactions: Xtwillight, oldschool, vtqhtr413 and 8 others
NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Interesting method, thanks for sharing it.

Tried to reproduce the scenario and OSA blocked it in "Basic Protection Profile" (tested with a custom exe loader, a .bat script and from PS):

test.png

test2.png

test3.png
 
  • Like
  • +Reputation
Reactions: Xtwillight, silversurfer, simmerskool and 4 others
NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
@Sandbox Breaker

I just recreated the scenario and PoCs based on the details provided in the article:

The idea, in a nutshell, is to find vulnerable binaries in the WinSxS folder (e.g., ngentask.exe and aspnet_wp.exe) and combine it with the regular DLL search order hijacking methods by strategically placing a custom DLL with the same name as the legitimate DLL into an actor-controlled directory to achieve code execution.

As a result, simply executing a vulnerable file in the WinSxS folder by launching a command line from a shell with the custom folder containing the rogue DLL as the current directory location is enough to trigger the execution of the DLL's contents without having to copy the executable from the WinSxS folder to it.
Click to expand...
 
  • Like
Reactions: vtqhtr413, harlan4096, Gandalf_The_Grey and 3 others

Similar threads

Gandalf_The_Grey
    • Like
Security News New Windows Themes zero-day gets free, unofficial patches
Replies
0
Views
777
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
Security News New attack uses MSC files and Windows XSS flaw to breach networks
Replies
1
Views
2,907
Security News
NoVirusThanks
NoVirusThanks
silversurfer
    • Like
    • +Reputation
    • Applause
Serious Discussion Microsoft outs details, system requirements of Windows 11's new VBS Enclave security feature
Replies
3
Views
550
Windows 11
EstrellaRhodes
E

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top