TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Proxying Your Way to Code Execution – A Different Take on DLL Hijacking

BHIS · 2024-09-26 · Read original ↗

ATT&CK techniques detected

17 predictions
T1574.001DLL
99%
"##l sidejacking and sideloading but at a high - level, dll hijacking exploits the way windows applications search for and load dlls. when a process executes, it will look to load a series of dlls in order to run properly. sometimes a process will look in multiple locations on an …"
T1055.001Dynamic-link Library Injection
98%
"##r loved this blog? join us for a free one - hour black hills information security ( bhis ) webcast with the author, matt eidelberg, as he share his latest research into new techniques which allow windows users to side - load into native windows processes. learn more and registe…"
T1055.001Dynamic-link Library Injection
98%
"any user to write to the contents in that folder. this allows an attacker to drop a dll into the same folder as the vulnerable dll. now, you can ’ t have two dlls with the same name in the same folder, so with this write permission, we can rename the dll to whatever we want. this…"
T1055.001Dynamic-link Library Injection
98%
"_ modules \ slimcore \ bin \ slimcv. dll weaponizing them once we have our dll loaded into the process, we need something to trigger our code. since we are proxying the functions to the legitimate dll, the only way of running our malicious code is to put it in dllmain function. u…"
T1546.015Component Object Model Hijacking
95%
"##l hijacking attacks in the traditional sense. even with elevated permissions, it ’ s not possible to access or write to these folders. this reduces the likelihood of exploiting these applications using traditional methods. however, if we monitor these applications starting up u…"
T1574.001DLL
89%
"program installs dlls, these files are placed in directories with strict security permissions. these permissions ensure that only users with administrative privileges can write to or rename files in these directories. this protection mechanism is crucial, as it prevents low - pri…"
T1574.001DLL
84%
"can see that the legitimate one is referenced in the exports. i ’ ve observed the following dlls susceptible to this attack. microsoft teams v2 or microsoft teams for work or school - c : \ users \ { username } \ appdata \ local \ microsoft \ teamsmeetingaddin \ { version } \ x64…"
T1137.005Outlook Rules
82%
"loaded by outlook, leading to code execution in the outlook process. all files in this directory can be modified by a low - privilege user. the appdata folder in windows is a hidden system directory used to store application - specific data and settings for individual user accoun…"
T1546.015Component Object Model Hijacking
74%
"is one example, numerous applications and dlls are susceptible to this because applications are looking in the hkcu section of the registry first. as you can see from the image below, this works, and we are able to force the new version of outlook to load our dll. while we only h…"
T1574.001DLL
73%
"it is just a matter of time before a new instance msedge. exe is executed : microsoft ’ s second response we reached out to microsoft again, stressing the importance of these issues. microsoft responded with the following : “ upon review this does not meet any of the categories o…"
T1574.001DLL
66%
". def ) come into play. definition files are text files containing one or more module statements that describe various attributes of a dll. using a. def file we can define all the exported functions and map them to the legitimate dll that contains requested function. because of t…"
T1574.001DLL
62%
"proxying your way to code execution – a different take on dll hijacking proxying your way to code execution – a different take on dll hijacking in the ever - evolving landscape of cybersecurity, attackers continually devise new methods to exploit vulnerabilities in endpoints to e…"
T1546.010AppInit DLLs
55%
"dlls and registry keys in the hkcu \ software \ classes \ clsid \ section of the registry of an endpoint with numerous applications typically found in a business, we can observe which other applications load these dlls. the result was an even larger number of both native windows …"
T1055.001Dynamic-link Library Injection
54%
"##ls, which have been become the focus of a lot of detection - based products. while highly effective, this technique does have its pitfalls. by hijacking a required dll, an attacker can make the process unstable, or in most cases, cause the application to have missing functional…"
T1055.001Dynamic-link Library Injection
45%
"proxying your way to code execution – a different take on dll hijacking proxying your way to code execution – a different take on dll hijacking in the ever - evolving landscape of cybersecurity, attackers continually devise new methods to exploit vulnerabilities in endpoints to e…"
T1137.005Outlook Rules
39%
". process monitor can be used to observe an application ’ s ‘ load image ’ events, which occur when the application loads a dll. by filtering out specific file locations, this makes it possible to identify dlls that could be proxied. to begin hunting, we start by launching applic…"
T1090.002External Proxy
31%
"##ls, which have been become the focus of a lot of detection - based products. while highly effective, this technique does have its pitfalls. by hijacking a required dll, an attacker can make the process unstable, or in most cases, cause the application to have missing functional…"

Summary

While DLL hijacking attacks can take on many different forms, this blog post will explore a specific type of attack called DLL proxying, providing insights into how it works, the potential risks it poses, and briefly the methodology for discovering these vulnerable DLLs, which led to the discovery of several zero-day vulnerable DLLs that Microsoft has acknowledged but opted to not fix at this time.

The post Proxying Your Way to Code Execution – A Different Take on DLL Hijacking  appeared first on Black Hills Information Security, Inc..