DLL search order hijacking

  • Updated on Mar 11, 2024
  • Published on Jun 26, 2023
Prev Next

Attack technique

Technique name: DLL search order hijacking

MITRE ATT&CK

  • Tactic: Persistence
  • Technique: Hijacking Execution Flow: DLL Search Order Hijacking (T1574.001)

Technique description
DLL Search Order Hijacking allows adversaries to execute malicious payloads, enabling persistence, privilege elevation, and evading execution restrictions.
The attacker can abuse the Windows DLL Search Order, tricking Windows into loading the malicious library instead of the legitimate one. If a vulnerable program runs at a higher privilege level, the adversary-controlled DLL executed will inherit that level, enabling privilege escalation.

Insights from threat intelligence

By manipulating the search order, threat actors can gain unauthorized access or execute arbitrary code within an application or system process. Therefore serves as a crucial method for threat actors to achieve persistence, execute arbitrary code, and evade detection, making it a superior technique in their cyber campaigns.

DLL search order hijacking remains a prevalent attack vector. Nearly all widely known cyber campaigns were spotted utilizing this technique, starting with Stuxnet (2010), Duqu (2011), Flame (2012), through recent cyber campaigns like PowerFall (2019-2020), GhostSecret (2018), and even ongoing campaigns like DarkHotel, LockBit, Qbot and more.

All organizations should be aware of this threat to effectively defend against it. Regular security assessments, patch management, and user awareness training can contribute to a robust security posture.

Seen in the wild since: 2010

References:
https://www.bleepingcomputer.com/news/security/qbot-phishing-abuses-windows-control-panel-exe-to-infect-devices/

https://cqureacademy.com/cqure-labs/cqlabs-how-uac-bypass-methods-really-work-by-adrian-denkiewicz

https://www.giac.org/paper/gcda/141/detecting-dll-search-order-hijacking-purple-team-approach-create-defensive-techniques-tactical-siem/163896

https://github.com/hfiref0x/UACME

Threat hunting thesis breakdown

Living-off-the-Land modules impersonation

Relevant data sources

  • EDR Load Module Events
  • EDR Process Creation Events

Thesis explanation

Detects DLL modules that are loaded to a process from the same directory as the process, and have the same name as a module in System32 directory but with an unknown hash.

If all of the following occurs, then a search order hijacking is likely to occur:

  1. The calling process loads a module that exists in the same path as the process.
  2. Both the calling process and the loaded module are not in any %PATH% or links directories.
  3. The calling process has a name or a hash of a file in a System32 directory.
  4. The loaded module has a name of a file in a System32 directory, but the hash is unknown.

Blind spots
The detection covers DLL search order hijacking attempts that are tied to Lolbins processes that have a similar name or hash as seen in System32 folders.
In cases where a malicious file was placed in a System32 folder, the malicious file will be treated as legitimate. Also, the detection does not cover use cases of 3rd party programs that load malicious DLL files using the Search order hijacking technique.

Recommended investigation flow

  1. Review the file path of the program that loaded the DLL. Is the directory suspicious?
  2. Check the hash of the loaded file in malware analysis services:
    1. Is the hash marked as suspicious by any antimalware engines?
    2. Is the loaded DLL signed by Microsoft?
    3. When was it first submitted, if at all?
  3. Review activities made by the loading process:
    1. Did the process spawn any suspicious child process?
    2. Did the process reach out to malicious domains or IPs?
    3. Did the Process write any abnormal files to suspicious locations?
    4. Did the process write or utilized any suspicious Registry keys?

Hunting queries

https://gist.github.com/axon-git/4cead0efcc974306d4f4df15a1143de0