An attacker can execute arbitrary code without elevating privileges.
Security company Security Joes identified a new version of the method of intercepting the search order for DLL libraries, which can be used by attackers to bypass security mechanisms and execute malicious code on systems running Windows 10 and Windows 11.
According to the Security Joes report, the new approach is to use executables from the trusted WinSxS folder and exploit them using the classic technique of spoofing the DLL search order. This approach allows a cybercriminal to get rid of the need to increase privileges when trying to run malicious code on a compromised computer, as well as embed potentially vulnerable binary files in the attack chain.
The DLL Search Order Hijacking technique involves manipulating the search order used to load a DLL in order to execute malicious payloads to bypass security, preserve and elevate privileges. Such attacks target applications that do not specify the full path to the libraries they need, but instead rely on a predefined search order to find the required DLLs on disk.
Attackers exploit this behavior by moving legitimate system binaries to non-standard directories that contain malicious DLLs with names that match the legitimate ones, so that the malicious library is chosen instead of the real DLL.
Security Joes warns that there may be more binaries in the WinSxS folder that are affected by this substitution of DLL search order, which requires organizations to take appropriate precautions to prevent this method of exploitation from being used in their environments.
The company recommends that you carefully monitor all activities performed by binary files located in the WinSxS folder, focusing on both network communications and file operations.
Security company Security Joes identified a new version of the method of intercepting the search order for DLL libraries, which can be used by attackers to bypass security mechanisms and execute malicious code on systems running Windows 10 and Windows 11.
According to the Security Joes report, the new approach is to use executables from the trusted WinSxS folder and exploit them using the classic technique of spoofing the DLL search order. This approach allows a cybercriminal to get rid of the need to increase privileges when trying to run malicious code on a compromised computer, as well as embed potentially vulnerable binary files in the attack chain.
The DLL Search Order Hijacking technique involves manipulating the search order used to load a DLL in order to execute malicious payloads to bypass security, preserve and elevate privileges. Such attacks target applications that do not specify the full path to the libraries they need, but instead rely on a predefined search order to find the required DLLs on disk.
Attackers exploit this behavior by moving legitimate system binaries to non-standard directories that contain malicious DLLs with names that match the legitimate ones, so that the malicious library is chosen instead of the real DLL.
Security Joes warns that there may be more binaries in the WinSxS folder that are affected by this substitution of DLL search order, which requires organizations to take appropriate precautions to prevent this method of exploitation from being used in their environments.
The company recommends that you carefully monitor all activities performed by binary files located in the WinSxS folder, focusing on both network communications and file operations.
