A new variant of the DLL Search Order Hijacking technique has been discovered by security researchers [1] [2] [6] [7] [8]. This variant allows cyber criminals to bypass security mechanisms on Windows 10 and Windows 11 systems. By manipulating the search order used to load DLLs [2] [6] [8], threat actors can introduce potentially vulnerable binaries into the attack chain [6] [7].
Description
This technique leverages executables in the trusted WinSxS folder [1] [2] [3] [4] [5] [7] [8]. By moving legitimate system binaries into non-standard directories and replacing them with malicious DLLs [1] [3] [7], threat actors can execute malicious code without needing elevated privileges [2] [3] [8]. In this variant [3] [6] [7] [8], the WinSxS folder is specifically targeted, and adversaries strategically place a custom DLL with the same name as a vulnerable binary to achieve code execution [3]. This technique can be used for defense evasion, persistence [6], and privilege escalation [6].
To mitigate this exploitation method [2] [7] [8], organizations are advised to monitor activities performed by binaries in the WinSxS folder and examine parent-child relationships between processes [1] [2] [7]. Security Joes warns that there may be additional vulnerable binaries in the WinSxS folder [1] [3] [6] [8], emphasizing the importance of vigilant monitoring and analysis.
Conclusion
The discovery of this new variant of the DLL Search Order Hijacking technique highlights the need for enhanced security measures on Windows 10 and Windows 11 systems. Organizations should prioritize monitoring activities in the WinSxS folder and analyzing parent-child relationships between processes to detect and prevent potential attacks. The presence of additional vulnerable binaries in the WinSxS folder further emphasizes the importance of ongoing vigilance and analysis. By implementing these mitigation strategies, organizations can better protect their systems and prevent unauthorized code execution.
References
[1] https://thehackernews.com/2024/01/new-variant-of-dll-search-order.html
[2] https://www.redpacketsecurity.com/new-variant-of-dll-search-order-hijacking-bypasses-windows-10-and-11-protections/
[3] https://www.ihash.eu/2024/01/new-variant-of-dll-search-order-hijacking-bypasses-windows-10-and-11-protections/
[4] https://www.itsecuritynews.org/new-variant-of-dll-search-order-hijacking-bypasses-windows-10-and-11-protections/
[5] https://news.backbox.org/2024/01/01/new-variant-of-dll-search-order-hijacking-bypasses-windows-10-and-11-protections/
[6] https://pledgetimes.com/dll-search-order-hijacking-new-variant-for-windows-10/
[7] https://owasp.or.id/2024/01/01/new-variant-of-dll-search-order-hijacking-bypasses-windows-10-and-11-protections/
[8] https://ciso2ciso.com/new-variant-of-dll-search-order-hijacking-bypasses-windows-10-and-11-protections-sourcethehackernews-com/
