New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

02.01.2024

Security researchers have outlined a novel iteration of a dynamic link library (DLL) search order hijacking technique, posing a potential threat to systems running Microsoft Windows 10 and Windows 11. This method, disclosed in an exclusive report shared with The Hacker News by cybersecurity firm Security Joes, capitalizes on executables commonly located in the trusted WinSxS folder. By exploiting the classic DLL search order hijacking technique, adversaries can bypass security mechanisms, enabling the execution of malicious code.

The strategy involves leveraging trusted executables within the WinSxS folder, eliminating the necessity for elevated privileges to run malicious code on a compromised system. Additionally, this approach introduces the possibility of incorporating vulnerable binaries into the attack chain, a pattern observed in previous incidents.

DLL search order hijacking revolves around manipulating the order in which DLLs are loaded, facilitating the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. In this context, attackers target applications that do not specify the full path to the required libraries. Instead, they rely on a predetermined search order to locate the necessary DLLs on the disk.

Exploiting this behavior, threat actors relocate legitimate system binaries into unconventional directories. These directories include malicious DLLs bearing names similar to legitimate ones. Consequently, during the DLL loading process, the library containing the attack code is selected in lieu of the authentic one.