A recent report has highlighted a newly identified variant of DLL (Dynamic Link Library) search order hijacking, a sophisticated technique that cybercriminals may exploit to bypass security measures and execute malicious code on systems utilizing Microsoft Windows 10 and Windows 11. This particular method has drawn concern due to its potential for exploitation, allowing threat actors to execute harmful code without requiring elevated privileges.
According to cybersecurity firm Security Joes, this approach effectively leverages executables found within the trusted WinSxS folder, capitalizing on a classic DLL search order hijacking technique. This exploitation could enable adversaries to incorporate potentially vulnerable binaries into their attack vectors, reflecting trends observed in past cyber activity.
DLL search order hijacking, by definition, involves manipulating the order in which Windows applications search for and load external libraries. This technique is often employed to facilitate defense evasion, maintain persistence, and achieve privilege escalation. Specifically, attackers focus on applications that fail to specify the full paths of the libraries they need, relying instead on a predefined search sequence.
Criminal elements exploit this characteristic by relocating legitimate system binaries into unconventional directories while implanting malicious DLLs named after these legitimate files. This tactic ensures that the process searching for the DLL selects the malicious version instead, thereby triggering unauthorized code execution.
The search sequence that systems typically follow includes the directory from which the application is launched, followed by standard Windows system directories and any directories listed in system or user PATH variables. Notably, the technique reported by Security Joes specifically targets files located in the vetted C:\Windows\WinSxS folder—a crucial component of Windows tasked with maintaining compatibility and integrity during system updates.
This nuanced strategy, as explained by Ido Naor, co-founder of Security Joes, diverges from traditional tactics that broadly manipulate DLL loading procedures. By targeting vulnerable binaries within the WinSxS folder, attackers can orchestrate a more discreet and effective exploitation technique. For example, identifying vulnerable files, such as ngentask.exe and aspnet_wp.exe, allows for the placement of a rogue DLL with the same name in a location controlled by the adversary, enabling the execution of malicious code merely by triggering a vulnerable command.
Security Joes raises alarms about the potential presence of more susceptible binaries within the WinSxS folder, underscoring the necessity for organizations to adopt proactive measures to defend against such sophisticated methods. This includes careful monitoring of parent-child process relationships and maintaining vigilance over the operations of binaries stored in the WinSxS directory, with an emphasis on their network communications and file activities.
As organizations assess their vulnerabilities, they should consider tactics within the MITRE ATT&CK framework, focusing on possible routes for initial access, privilege escalation, and persistence. Given the evolving landscape of cyber threats, maintaining an adaptive and vigilant security posture will be essential in mitigating the risks posed by such advanced exploitation techniques.
