Path Interception by Search Order Hijacking

Information

• Name: Path Interception by Search Order Hijacking

• ID: T1574.008

• Tactics: TA0003, TA0004, TA0005

• Technique: T1574

Introduction

Path Interception by Search Order Hijacking (T1574.008) is a sub-technique within the MITRE ATT&CK framework, categorized under Hijack Execution Flow (T1574). It involves adversaries manipulating the order in which operating systems search for executable files or libraries. Attackers place malicious executables or libraries in directories searched before legitimate locations, causing the system to unknowingly execute attacker-controlled binaries. This technique enables adversaries to escalate privileges, maintain persistent access, and evade detection by masquerading as legitimate processes.

Deep Dive Into Technique

Path Interception by Search Order Hijacking exploits the behavior of operating systems that rely on environment variables and predefined search paths when loading programs or libraries. Attackers leverage weaknesses in how these search paths are resolved, inserting malicious payloads into directories that are searched before legitimate system paths.

Technical details include:

• DLL Search Order Hijacking (Windows):

  • Windows searches for DLL files in a specific order when an application does not explicitly specify the full path of a DLL.

  • Attackers place malicious DLL files in directories searched before legitimate DLL locations, causing the malicious DLL to load first.

  • Commonly exploited directories include the application's working directory, directories listed in the PATH environment variable, or user-writable directories.

• Executable Path Hijacking (Windows/Linux):

  • Attackers place malicious executables in directories appearing earlier in the PATH environment variable.

  • When users or automated scripts execute commands without specifying absolute paths, the malicious executable is executed instead of the legitimate binary.

• Unix/Linux Shared Object Hijacking:

  • Unix-like systems use environment variables like LD_LIBRARY_PATH or RPATH to determine shared library search order.

  • Attackers manipulate these variables or place malicious shared objects (.so files) in directories searched before legitimate library locations.

Attackers typically achieve this by:

• Modifying environment variables (e.g., PATH, LD_LIBRARY_PATH).

• Writing malicious files to writable directories such as user home folders, temporary directories, or application-specific directories.

• Exploiting vulnerabilities or misconfigurations that allow directory traversal and write permissions.

When this Technique is Usually Used

Attackers commonly utilize Path Interception by Search Order Hijacking during various stages of an attack lifecycle, including:

• Initial Access:

  • Exploiting vulnerable applications or installers that load DLLs or executables from predictable locations.

  • Social engineering users into executing malicious binaries placed in user-writable directories.

• Privilege Escalation:

  • Hijacking paths to execute malicious binaries with elevated privileges when legitimate administrative processes or services are launched.

• Persistence:

  • Ensuring continued access by placing malicious binaries or libraries in directories that legitimate applications regularly search, automatically executing malicious code upon system or application startup.

• Defense Evasion:

  • Masking malicious activities by running attacker-controlled binaries under the guise of legitimate system processes, making detection and attribution difficult.

How this Technique is Usually Detected

Detection strategies for Path Interception by Search Order Hijacking typically involve monitoring file system activities, environment variable changes, and process behaviors:

• File Integrity Monitoring (FIM):

  • Detect unexpected or unauthorized changes in critical directories, such as system directories, application directories, or directories defined in PATH variables.

• Behavioral Analysis:

  • Monitor processes loading DLLs or executables from unusual or non-standard locations.

  • Identify processes loading libraries or binaries from user-writable directories or temporary locations.

• Endpoint Detection and Response (EDR) Tools:

  • Detect suspicious DLL or executable loading behaviors, including DLL sideloading or search order hijacking.

  • Generate alerts on anomalous process execution paths or unusual environment variable modifications.

• Environment Variable Monitoring:

  • Track changes to critical environment variables (e.g., PATH, LD_LIBRARY_PATH) that could indicate attempts to manipulate search order.

Indicators of Compromise (IoCs) include:

• Unfamiliar or unsigned DLLs/executables in directories listed early in search paths.

• Suspicious DLLs or executables with names similar or identical to legitimate system components.

• Unexpected modifications to PATH or LD_LIBRARY_PATH environment variables.

• Anomalous process executions from temporary directories or user-writable locations.

Why it is Important to Detect This Technique

Detecting Path Interception by Search Order Hijacking is critical due to its significant potential impacts on systems and networks:

• Privilege Escalation:

  • Attackers can leverage this technique to execute malicious binaries with higher privileges, enabling further exploitation and lateral movement.

• Persistence:

  • Allows attackers to maintain long-term footholds in compromised environments, complicating remediation efforts.

• Defense Evasion:

  • Malicious binaries loaded via this technique often blend in with legitimate system processes, making detection and attribution challenging.

• Data Exfiltration and Espionage:

  • Attackers can leverage compromised binaries to steal sensitive data, credentials, or intellectual property without raising suspicion.

• System Instability and Disruption:

  • Malicious binaries introduced through search order hijacking can cause application crashes, system instability, or denial-of-service conditions.

Early detection and mitigation reduce the likelihood of significant damage, limit attacker dwell time, and simplify containment and remediation efforts.

Examples

Real-world examples demonstrating Path Interception by Search Order Hijacking include:

• DLL Hijacking in Windows Applications:

  • Attackers exploited vulnerabilities in widely used applications (e.g., browsers, media players, productivity software) that loaded DLLs from predictable locations.

  • Malicious DLLs placed in application directories or user-writable folders executed attacker-controlled code, enabling privilege escalation and persistence.

• APT29 (Cozy Bear):

  • Known to use DLL search order hijacking techniques to maintain persistence and evade detection.

  • Placed malicious DLLs in directories searched before legitimate ones, causing legitimate applications to load attacker-controlled DLLs.

• Winnti Group:

  • Employed DLL sideloading and search order hijacking to distribute malicious payloads.

  • Leveraged legitimate signed executables to load malicious DLLs from directories attackers controlled, bypassing security controls.

• Unix/Linux Shared Object Hijacking:

  • Attackers manipulated LD_LIBRARY_PATH environment variables to load malicious shared objects (.so files) before legitimate libraries.

  • Allowed attackers to execute arbitrary code under the context of trusted applications, enabling stealthy persistence and privilege escalation.

In these examples, attackers successfully leveraged Path Interception by Search Order Hijacking to escalate privileges, maintain persistent access, evade defenses, and execute malicious payloads, underscoring the importance of proactive detection and mitigation strategies.