Understanding DLL Hijacking / WMI: A Practical Guide

Introduction

DLL hijacking is a technique used by attackers to exploit the way Windows applications load dynamic link libraries (DLLs). By manipulating how these files are searched for and executed, attackers can gain unauthorized code execution, often with high privileges.

--------------------------------------------------------------------------------------------------------

1. Search Order Hijacking: Exploiting Windows’ Default Behavior

When an application in Windows loads a DLL, it follows a predefined search order to locate the required file. This search order usually begins with the local directory of the executable and progresses through system folders like

C:\Windows\System32.

However, if an attacker places a malicious DLL in an unprotected location where the application looks first, they can trick the system into loading their code instead of the legitimate DLL.

Windows Explorer (explorer.exe) loads ntshrui.dll, which is typically stored in

C:\Windows\System32.

If an attacker can drop their own version of ntshrui.dll in C:\Windows, Explorer will load the malicious file instead, ensuring execution every time the desktop starts.

Detection & Mitigation:

• Monitor for new DLL files appearing in unusual directories.

• Use forensic analysis tools to track DLL creation timestamps.

• Enforce application whitelisting to prevent unauthorized DLL execution.

  
  

--------------------------------------------------------------------------------------------------------

2. Phantom DLL Hijacking: Leveraging Nonexistent Files

Some applications attempt to load outdated DLLs that no longer exist in modern Windows systems. Attackers can take advantage of this by placing a malicious DLL with the same name in a location where the system expects to find it.

Real-World Example:

Mandiant discovered a case where attackers replaced fxsst.dll (Fax Service DLL) in System32, allowing their malicious payload to execute whenever the system tried to load the file.

Detection & Mitigation:

• Track failed DLL load attempts to identify missing DLLs that attackers might exploit.

• Audit software dependencies to remove references to outdated DLLs.

• Restrict write permissions to critical system folders.

--------------------------------------------------------------------------------------------------------

3. DLL Side-Loading: Exploiting Trusted Applications

Side-loading occurs when attackers drop a malicious DLL into the same directory as a trusted application. Some applications use Windows’ Side-by-Side (SxS) mechanism to manage DLL versions, and attackers abuse this by injecting their own code into legitimate programs.

One famous example is PlugX RAT, which drops a legitimate executable (e.g., signed by Microsoft) alongside a malicious DLL. The application then loads the malicious DLL, bypassing traditional security checks.

Detection & Mitigation:

• Track new executable-DLL pairs appearing in unusual locations.

• Use behavioral analysis tools to monitor abnormal application activity.

• Restrict DLL loading to specific, verified directories using AppLocker or Windows Defender Application Control.

----------------------------------------------------------------------------------------------------------

4. Relative Path Hijacking: Bring Your Own Executable (BYOE)

In this attack, rather than tampering with system folders, attackers copy a vulnerable executable to a location they control, along with a malicious DLL. Since Windows prioritizes loading DLLs from the same directory as the executable, their payload gets executed.

Example:

APT32 (Ocean Lotus) used McAfee’s mcoemcpy.exe by copying it to an unusual directory (C:\ProgramData) along with a malicious McUtil.dll. Since mcoemcpy.exe expected to find McUtil.dll in the same folder, it loaded the attacker’s DLL instead.

Detection & Mitigation:

• Monitor for system binaries appearing in non-standard locations.

• Use process monitoring to detect unusual DLL loads.

• Restrict execution privileges in user-writable directories.

----------------------------------------------------------------------------------------------------------

Defending Against DLL Hijacking

Despite being a stealthy technique, DLL hijacking can be detected with careful monitoring and forensic analysis.

1. File System Auditing:

   • Track newly created DLLs and executables.

   • Monitor sensitive directories for unauthorized changes.

2. Memory Forensics:

   • Analyze running processes for DLLs loaded from unusual locations.

   • Use tools like Velociraptor to detect forwarded function abuse.

3. Behavioral Analysis:

   • Look for suspicious processes making network connections or injecting into other processes.

   • Track processes attempting to load non-standard DLLs.

4. System Hardening:

   • Enable Microsoft’s Exploit Protection to validate DLL integrity.

   • Configure AppLocker/Device Guard to restrict unauthorized DLL execution.

   • Regularly update software to remove outdated DLL dependencies.

   
   

----------------------------------------------------------------------------------------------------------

Conclusion

DLL hijacking remains a powerful and widely used attack technique by adversaries, but with proper monitoring, forensic investigation, and system hardening, it can be effectively mitigated. Security teams should stay vigilant by implementing proactive detection techniques and restricting unauthorized DLL execution paths.

-----------------------------------------------------------------------------------------------------

I've created a comprehensive series on Windows Management Instrumentation (WMI), covering its capabilities, stealthy persistence techniques, and detection strategies. Explore the depths of WMI with the following articles:

🔹 Dive into WMI Capabilities and Stealthy Persistence Techniques – Read More

🔹 Detecting WMI-Based Attacks – Read More

🔹 Understanding WMI Event Consumers – Read More

🔹 The Intricacies of MOF Files – Read More

🔹 #PRAGMA AUTORECOVER in WMI – Read More

🔹 Hunting Malicious WMI Activity – Read More

I’ve already written multiple blogs that provide an in-depth analysis of WMI-based attacks.

📌 Do check out above articles:

------------------------------------------Dean-------------------------------------------