DLL Search Order Hijacking

Information

• Name: DLL Search Order Hijacking

• ID: T1574.001

• Tactics: TA0003, TA0004, TA0005

• Technique: T1574

Introduction

DLL Search Order Hijacking (MITRE ATT&CK ID: T1574.001) is a sub-technique within the MITRE ATT&CK framework under the "Hijack Execution Flow" technique. It involves exploiting the default Windows Dynamic-Link Library (DLL) search order to load malicious DLL files instead of legitimate ones. Attackers place malicious DLLs in directories that are searched before the legitimate DLL locations, causing the operating system or applications to load attacker-controlled libraries. This technique allows threat actors to execute arbitrary code, escalate privileges, evade detection, and maintain persistence within compromised systems.

Deep Dive Into Technique

DLL Search Order Hijacking leverages the way Windows operating systems search and load DLL files. Windows follows a specific search order sequence when loading DLLs required by executables. Attackers exploit this sequence by placing malicious DLL files in directories that are searched first, causing the malicious DLL to load instead of the legitimate one.

The default DLL search order in Windows typically follows this sequence:

1. The directory from which the application is loaded (application directory).

2. The system directory (%SystemRoot%\System32).

3. The 16-bit system directory (%SystemRoot%\System).

4. The Windows directory (%SystemRoot%).

5. The current working directory (CWD).

6. Directories listed in the system PATH environment variable.

Attackers commonly exploit DLL Search Order Hijacking through the following methods:

• Planting Malicious DLLs in Application Directories: Attackers place malicious DLL files in the same directory as legitimate executables, causing the application to load the malicious DLL first.

• Leveraging Unsecured Directories in PATH Variable: Attackers exploit misconfigured or insecure directories included in the system's PATH environment variable by placing malicious DLLs in these directories.

• Abusing the Current Working Directory (CWD): Attackers place malicious DLLs in directories that applications use as their current working directory, causing DLLs to load from there.

• Exploiting Missing or Non-existent DLLs: Attackers identify applications attempting to load DLLs that do not exist by default, placing malicious DLLs with matching names to hijack execution flow.

Real-world procedures involve attackers performing reconnaissance to identify vulnerable applications, analyzing DLL loading behavior (using tools such as Process Monitor or Dependency Walker), and strategically placing malicious DLL files to hijack execution.

When this Technique is Usually Used

DLL Search Order Hijacking is employed in various attack scenarios and stages, including:

• Initial Access and Execution: Attackers may exploit vulnerable applications or installers during initial compromise to execute malicious DLL payloads.

• Privilege Escalation: Attackers use DLL hijacking against applications or services running with elevated privileges, allowing them to escalate privileges to SYSTEM or administrator-level access.

• Persistence: Attackers commonly leverage DLL Hijacking for persistent access by ensuring malicious DLLs are repeatedly loaded whenever compromised applications run.

• Defense Evasion: Malicious DLLs loaded through hijacking techniques blend into legitimate processes, making detection difficult and bypassing application allow-listing controls.

• Lateral Movement: Attackers may use DLL Hijacking to move laterally across networks, exploiting vulnerable software installations or misconfigured environments on multiple systems.

How this Technique is Usually Detected

Detection of DLL Search Order Hijacking involves monitoring and analyzing DLL loading behaviors and file system changes. Common detection methods and tools include:

• Process Monitoring Tools:

  • Sysinternals Process Monitor (ProcMon) to detect unusual DLL loading paths or unexpected DLL files.

  • Sysmon (System Monitor) configured to log image load events, identifying anomalous DLL loads.

• Endpoint Detection and Response (EDR) Solutions:

  • EDR tools that detect anomalous DLL loads, suspicious file placements, or unusual process behaviors indicative of DLL hijacking.

• File Integrity Monitoring (FIM):

  • Monitoring critical application directories, system directories, and directories in the PATH environment variable for unauthorized or unexpected DLL files.

• Behavioral Analysis and Anomaly Detection:

  • Monitoring application behavior for unexpected DLL loads, especially from directories typically unused or directories with lower trust levels.

• Indicators of Compromise (IoCs):

  • Presence of suspicious DLL files in application directories, temporary directories, or user-writable directories.

  • DLL files with unusual timestamps or metadata inconsistent with legitimate files.

  • Processes loading DLLs from unexpected or unauthorized locations.

Why it is Important to Detect This Technique

Detecting DLL Search Order Hijacking is critical due to its potential severe impacts on the security and stability of systems and networks. Importance includes:

• Preventing Unauthorized Code Execution: Early detection prevents attackers from executing malicious payloads through compromised DLL files, reducing risk of system compromise.

• Stopping Privilege Escalation Attempts: Detection helps prevent attackers from escalating privileges by exploiting vulnerable applications or services.

• Reducing Persistence and Lateral Movement: Early identification and remediation reduce the attacker's ability to maintain persistent access or move laterally across networks.

• Protecting Data Integrity and Confidentiality: Preventing malicious DLL execution safeguards sensitive data from theft, manipulation, or destruction.

• Maintaining System Stability and Reliability: Malicious DLLs can cause application crashes, instability, or performance degradation. Early detection helps maintain system reliability.

• Compliance and Regulatory Requirements: Timely detection and response to DLL hijacking incidents contribute to compliance with cybersecurity standards, regulations, and industry best practices.

Examples

Real-world examples demonstrating DLL Search Order Hijacking include:

• APT29 ("Cozy Bear") Campaigns:

  • Attackers leveraged DLL hijacking to gain persistence by placing malicious DLLs in directories of legitimate applications, causing malicious payloads to load during application startup.

• PlugX Malware:

  • PlugX malware commonly uses DLL hijacking techniques by placing malicious DLLs in directories of legitimate executable files, ensuring persistent execution of malicious payloads.

• Operation Cloud Hopper (APT10):

  • Attackers conducted DLL hijacking by placing malicious DLLs in legitimate software directories, thereby executing malicious code and maintaining persistence in compromised managed service providers (MSPs).

• FIN7 Group Attacks:

  • FIN7 attackers used DLL hijacking to inject malicious payloads into legitimate processes, evading detection and maintaining persistence in targeted retail and hospitality networks.

• Banking Trojan Attacks (e.g., Dridex, Emotet):

  • Banking trojans have utilized DLL hijacking techniques to inject malicious DLLs into legitimate processes, capturing sensitive financial information and credentials.

Tools commonly used by attackers to facilitate DLL hijacking include:

• Process Monitor (ProcMon): Used by attackers during reconnaissance to identify vulnerable DLL loading behavior.

• Dependency Walker: Employed by attackers to analyze DLL dependencies and identify potential hijacking targets.

• DLL Proxying Tools: Attackers use custom DLL proxy tools to create malicious DLLs that forward legitimate functionality to original DLLs while executing malicious payloads.

Impacts observed in these attacks include unauthorized data exfiltration, persistent backdoors, privilege escalation, lateral movement, and significant operational disruptions.