A technique known as “DLL Hijacking” is carried out by placing a malicious DLL (Dynamic Link Library) in a directory that a vulnerable application examines before the legal one. The malicious DLL is inadvertently loaded when the application is run, giving attackers the ability to:
- Compromise the System
- Execute Arbitrary Code
Security Joes, a multi-layered incident response organization, employs cybersecurity experts who have uncovered a novel DLL Hijacking technique that allows threat actors to get beyond Windows security measures.
About the DLL Hijacking Technique
This new Technique uses DLL Search Order Hijacking to take advantage of reliable WinSxS executables. This removes the requirement for additional binaries by allowing threat actors to run malicious code inside Windows folders.
It also works with Windows 10 and 11 because it gets around high privilege restrictions. The DLL Search Order Hijacking takes advantage of DLLs that are loaded by Windows apps without specified file locations by manipulating this process.
Threat actors use preset search orders to manipulate programs, putting a malicious DLL in a prioritized directory. Apps must not declare entire paths in many Techniques for this, frequently because of development oversights.
One of the most important things to understand is how Windows loads DLLs and executables. The system loads these files according to a set order. This locates DLLs and other required components to guarantee smooth execution. Furthermore, it offers a different approach to locating resources. In addition, the Windows OS flow for resource loading and searching consists of the following:
- Application’s launch directory
- Current working directory
- User’s PATH variables
- Directories in the system’s
Threat actors can introduce illegal code into trusted processes by taking advantage of the loading process, which aids in tricking the:
- Security Experts/Analysts
- Security Tools
Threat actors can accomplish a variety of nefarious objectives with this new, extremely clever, and covert Technique, including:
- Evade Detection
- Compromise Systems
A crucial part of Windows OS is the WinSxS folder, located at "C:WindowsWinSxS." This essential part keeps several versions of the system files up to date. Furthermore, it keeps prior versions intact while updating the Windows operating system, which makes the folder expand with every update.
All of the main goals of the WinSxS folder are listed below:
- Dynamic Activation
- System Integrity
- Version Management
Advantages of DLL Exploitation Techniques
All of the main benefits of this novel DLL Hijacking Technique are listed below:
- Enhancing Stealth
- Eliminating the Need for Additional Binaries
- Circumventing High Privilege Requirements