Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11.
The approach “leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique,” cybersecurity firm Security Joes said in a new report exclusively shared with The Hacker News.
In doing so, it allows adversaries to eliminate the need for elevated privileges when attempting to run nefarious code on a compromised machine as well as introduce potentially vulnerable binaries into the attack chain, as observed in the past.
DLL search order hijacking, as the name implies, involves gaming the search order used to load DLLs in order to execute malicious payloads for purposes of defense evasion, persistence, and privilege escalation.
Specifically, attacks exploiting the technique single out applications that do not specify the full path to the libraries they require, and instead, rely on a predefined search order to locate the necessary DLLs on disk.
Threat actors take advantage of this behavior by moving legitimate system binaries into non-standard directories that include malicious DLLs that are named after legitimate ones so that the library containing the attack code is picked up in place of the latter.
This, in turn, works because the process calling the DLL will search in the directory it’s executing from first before recursively iterating through other locations in a particular order to locate and load the resource in question. To put it in other words, the search order is as follows –
- The directory from which the application is launched
- The folder “C:\Windows\System32”
- The folder “C:\Windows\System”
- The folder “C:\Windows”
- The current working directory
- Directories listed in the system’s PATH environment variable
- Directories listed in the user’s PATH environment variable
The novel twist devised by Security Joes targets files located in the trusted “C:\Windows\WinSxS” folder. Short for Windows side-by-side, WinSxS is a critical Windows component that’s used for the customization and updating of the operating system to ensure compatibility and integrity.
“This approach represents a novel application in cybersecurity: traditionally, attackers have largely relied on well-known techniques like DLL search order hijacking, a method that manipulates how Windows applications load external libraries and executables,” Ido Naor, co-founder and CEO of Security Joes, said in a statement shared with The Hacker News.
“Our discovery diverges from this path, unveiling a more subtle and stealthy method of exploitation.”
The idea, in a nutshell, is to find vulnerable binaries in the WinSxS folder (e.g., ngentask.exe and aspnet_wp.exe) and combine it with the regular DLL search order hijacking methods by strategically placing a custom DLL with the same name as the legitimate DLL into an actor-controlled directory to achieve code execution.
As a result, simply executing a vulnerable file in the WinSxS folder by setting the custom folder containing the rogue DLL as the current directory is enough to trigger the execution of the DLL’s contents without having to copy the executable from the WinSxS folder to it.
Security Joes warned that there could be additional binaries in the WinSxS folder that are susceptible to this kind of DLL search order hijacking, necessitating that organizations take adequate precautions to mitigate the exploitation method within their environments.
“Examine parent-child relationships between processes, with a specific focus on trusted binaries,” the company said. “Monitor closely all the activities performed by the binaries residing in the WinSxS folder, focusing on both network communications and file operations.”