New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections
Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11.
The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique," cybersecurity firm Security Joes said in a new report exclusively shared with The Hacker News.
Doing so allows adversaries to eliminate the need for elevated privileges when attempting to run nefarious code on a compromised machine and introduce potentially vulnerable binaries into the attack chain, as observed in the past.
DLL search order hijacking, as the name implies, involves gaming the search order used to load DLLs to execute malicious payloads for defense evasion, persistence, and privilege escalation.
Specifically, attacks exploiting the technique single out applications that do not specify the full path to the libraries they require. Instead, they rely on a predefined search order to locate the necessary DLLs on disk.
Threat actors take advantage of this behavior by moving legitimate system binaries into non-standard directories, including malicious DLLs named after legitimate ones, so the library containing the attack code is picked up instead of the latter.
This, in turn, works because the process calling the DLL will search in the directory it's executing from first before recursively iterating through other locations in a particular order to locate and load the resource in question. To put it in other words, the search order is as follows -
- The directory from which the application is launched
- The folder "C:\Windows\System32"
- The folder "C:\Windows\System"
- The folder "C:\Windows"
- The current working directory
- Directories listed in the system's PATH environment variable
- Directories listed in the user's PATH environment variable
The novel twist that Security Joes devised targets files in the trusted "C:\Windows\WinSxS" folder. Short for Windows side-by-side, WinSxS is a critical Windows component used to customize and update the operating system to ensure compatibility and integrity.
"This approach represents a novel application in cybersecurity: traditionally, attackers have largely relied on well-known techniques like DLL search order hijacking, a method that manipulates how Windows applications load external libraries and executables," Ido Naor, co-founder and CEO of Security Joes, said in a statement shared with The Hacker News.
"Our discovery diverges from this path, unveiling a more subtle and stealthy method of exploitation."
The idea, in a nutshell, is to find vulnerable binaries in the WinSxS folder (e.g., ngentask.exe and aspnet_wp.exe) and combine it with the regular DLL search order hijacking methods by strategically placing a custom DLL with the same name as the legitimate DLL into an actor-controlled directory to achieve code execution.
As a result, simply executing a vulnerable file in the WinSxS folder by setting the custom folder containing the rogue DLL as the current directory is enough to trigger the execution of the DLL's contents without having to copy the executable from the WinSxS folder to it.
Security Joes warned that additional binaries in the WinSxS folder could be susceptible to this kind of DLL search order hijacking, necessitating organizations take adequate precautions to mitigate the exploitation method within their environments.
"Examine parent-child relationships between processes, with a specific focus on trusted binaries," the company said. "Monitor closely all the activities performed by the binaries residing in the WinSxS folder, focusing on both network communications and file operations."
What's Your Reaction?