Security News New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,178
Content source
https://thehackernews.com/2024/01/new-variant-of-dll-search-order.html
Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11.

The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique," cybersecurity firm Security Joes said in a new report exclusively shared with The Hacker News.
Click to expand...
 
  • Like
  • +Reputation
Reactions: Xtwillight, oldschool, Nevi and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
It can be especially dangerous when combined with DLL dropped via HTML Smuggling. Next, the attacker may convince the user to download and execute an innocent loader (EXE file, script, document, etc.) that executes a (vulnerable) legal system executable from the WinSxS system folder. The loader does not do anything wrong/malicious, so it can hardly be detected by the AV. In the home environment, the attacks via DLL hijacking have an advantage when the AV does not check DLLs (loaded by benign EXEs) against the cloud backend.
 
Last edited:
  • Like
  • +Reputation
Reactions: Xtwillight, oldschool, vtqhtr413 and 8 others
NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Interesting method, thanks for sharing it.

Tried to reproduce the scenario and OSA blocked it in "Basic Protection Profile" (tested with a custom exe loader, a .bat script and from PS):

test.png

test2.png

test3.png
 
  • Like
  • +Reputation
Reactions: Xtwillight, silversurfer, simmerskool and 4 others
NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
@Sandbox Breaker

I just recreated the scenario and PoCs based on the details provided in the article:

The idea, in a nutshell, is to find vulnerable binaries in the WinSxS folder (e.g., ngentask.exe and aspnet_wp.exe) and combine it with the regular DLL search order hijacking methods by strategically placing a custom DLL with the same name as the legitimate DLL into an actor-controlled directory to achieve code execution.

As a result, simply executing a vulnerable file in the WinSxS folder by launching a command line from a shell with the custom folder containing the rogue DLL as the current directory location is enough to trigger the execution of the DLL's contents without having to copy the executable from the WinSxS folder to it.
Click to expand...
 
  • Like
Reactions: vtqhtr413, harlan4096, Gandalf_The_Grey and 3 others

Similar threads

vtqhtr413
    • Like
    • +Reputation
Mockingjay Process Injection Technique Could Let Malware Evade Detection
Replies
4
Views
1,151
News Archive
Sandbox Breaker
Sandbox Breaker
Gandalf_The_Grey
    • Like
KB5035941: Windows 10 gets new Lock Screen widgets and Windows Spotlight desktop backgrounds
Replies
0
Views
220
Windows 10
Gandalf_The_Grey
Gandalf_The_Grey
vtqhtr413
    • Like
Technology Windows 11, and 10 now support dozens of new AMD chipsets
Replies
0
Views
287
Technology News
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top