New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

  • Home
  • New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

Security researchers have recently uncovered a new variant of the DLL search order hijacking technique that poses a threat to systems running Microsoft Windows 10 and Windows 11. This variant exploits executables commonly found in the trusted WinSxS folder, employing the classic DLL search order hijacking technique.

Overview

DLL search order hijacking involves manipulating the search order used to load Dynamic Link Libraries (DLLs) in order to execute malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. This method is particularly effective against applications that do not specify the full path to the required DLLs and instead rely on a predefined search order to locate them on disk.

The Novel Twist

The novel twist in this variant involves targeting files located in the trusted “C:\Windows\WinSxS” folder. The WinSxS folder is a crucial Windows component used for customizing and updating the operating system to ensure compatibility and integrity. The attackers exploit vulnerable binaries in this folder, such as ngentask.exe and aspnet_wp.exe, by combining regular DLL search order hijacking methods with the strategic placement of a custom DLL with the same name as a legitimate DLL into an actor-controlled directory.

Exploitation Method

  1. Identifying Vulnerable Binaries: Find vulnerable binaries in the WinSxS folder.
  2. Strategic Placement of Custom DLL: Place a custom DLL with the same name as the legitimate DLL into an actor-controlled directory.
  3. Execution: Execute a vulnerable file in the WinSxS folder, triggering the execution of the DLL’s contents without copying the executable from WinSxS to the controlled directory.

Impact

This method eliminates the need for elevated privileges when attempting to run nefarious code on a compromised machine. It also introduces potentially vulnerable binaries into the attack chain, posing risks of data theft, deployment of malicious pods, and disruption of cluster operations.

Mitigation Strategies

Organizations are advised to take the following precautions to mitigate the exploitation of this method:

  1. Parent-Child Relationship Analysis: Examine parent-child relationships between processes, focusing on trusted binaries.
  2. Monitor Binaries in WinSxS: Monitor activities performed by binaries in the WinSxS folder, including network communications and file operations.

By implementing these mitigation strategies, organizations can enhance their security posture and safeguard their systems against the risks associated with this new variant of DLL search order hijacking.