Introduction
In a recent development, security researchers have uncovered a new variant of the dynamic link library (DLL) search order hijacking technique that poses a significant threat to systems running Microsoft Windows 10 and Windows 11. This sophisticated approach leverages executables within the trusted WinSxS folder, providing threat actors with a means to bypass existing security mechanisms. The novel twist in this attack method allows adversaries to execute malicious code on compromised machines without the need for elevated privileges, introducing potential vulnerabilities into the system.
Understanding DLL Search Order Hijacking
DLL search order hijacking involves manipulating the search order used to load DLLs, enabling threat actors to execute malicious payloads. The attack specifically targets applications that do not specify the full path to the required DLLs, relying on a predefined search order. By moving legitimate system binaries into non-standard directories and placing malicious DLLs with similar names, attackers trick the system into loading the malicious code instead of the legitimate library.
The search order, in sequence, includes:
- The directory from which the application is launched
- "C:\Windows\System32"
- "C:\Windows\System"
- "C:\Windows"
- The current working directory
- Directories listed in the system's PATH environment variable
- Directories listed in the user's PATH environment variable
Exploiting the Trusted WinSxS Folder
The newly discovered technique by Security Joes takes a unique approach by targeting files within the trusted "C:\Windows\WinSxS" folder. This folder, crucial for Windows side-by-side operations, is responsible for customizing and updating the operating system to ensure compatibility and integrity. By identifying vulnerable binaries in the WinSxS folder, threat actors strategically place a custom DLL with the same name as a legitimate one in an actor-controlled directory.
In essence, the process involves finding vulnerable binaries (e.g., ngentask.exe and aspnet_wp.exe) in the WinSxS folder and combining them with DLL search order hijacking methods. Placing a custom DLL in a controlled directory allows adversaries to achieve code execution without copying the executable from the WinSxS folder.
A Subtle and Stealthy Exploitation Method
Ido Naor, co-founder and CEO of Security Joes, emphasized the novelty of this approach in cybersecurity. Traditionally, attackers have relied on well-known techniques like DLL search order hijacking. However, this new variant introduces a more subtle and stealthy method of exploitation. By focusing on the WinSxS folder, threat actors can potentially compromise additional binaries, highlighting the need for organizations to take precautionary measures.
Mitigating the Exploitation Method
Security Joes advises organizations to examine parent-child relationships between processes, particularly focusing on trusted binaries. Close monitoring of activities performed by binaries in the WinSxS folder, including network communications and file operations, is crucial for early detection and mitigation of potential threats.
Conclusion
The emergence of this new variant of DLL search order hijacking underscores the evolving tactics employed by threat actors to bypass Windows 10 and 11 protections. Security professionals and organizations must stay vigilant, implementing proactive measures to secure systems, examine process relationships, and closely monitor activities within critical system folders. By understanding and addressing these advanced attack techniques, the cybersecurity community can better protect against emerging threats and ensure the ongoing security of Windows-based environments.
0 Comments