Introduction:
DLL (Dynamic Link Library) persistence attacks are a sophisticated breed of cyber threats that exploit legitimate and legacy features within the Windows operating system. This blog post delves into three prevalent forms of DLL persistence attacks—search order hijacking, phantom DLL hijacking, and DLL side-loading—providing insights into their mechanisms and the challenges they pose to cybersecurity.
Search Order Hijacking:
Search order hijacking is a crafty technique employed by adversaries to manipulate the way Windows locates dynamically loaded libraries (DLLs).
When an executable runs, it follows a specific search order, starting from the local directory and culminating in folders like C:\Windows\System32. By identifying executables outside the System32 folder that load DLLs not protected by the KnownDLLs Registry key, attackers can strategically place malicious DLLs in the same directory. This manipulation ensures the execution of their malicious code whenever the targeted application starts.
EXAMPLE:
if an executable is launched from the path "C:\ProgramFiles\Application\app.exe," the local directory for that execution is "C:\ProgramFiles\Application". In this directory, the operating system searches for the required DLLs before extending the search to other predefined locations, such as the Windows\System32 directory.
Search order hijacking takes advantage of this behavior by manipulating the DLL search order. Attackers may place malicious DLLs in the local directory or other locations where the executable searches for DLLs, ensuring that their code is loaded instead of the legitimate library.
Example: Exploiting Explorer.exe loading a vulnerable DLL named "ntshrui.dll."
Detection and Mitigation:
Due to its connection with backward compatibility, fixing search order hijacking is challenging.
Forensic analysis focusing on detecting newly created DLLs in unusual locations becomes crucial. Cybersecurity professionals must stay vigilant and incorporate robust security measures to mitigate the risks associated with this form of attack.
Phantom DLL Hijacking:
1. Exploiting Legacy Dependencies:
Targets applications attempting to load unnecessary and outdated DLLs, even if no longer existent.
Attackers leverage this behavior by providing a malicious file with the same name as a long-forgotten DLL.
Example: Attackers replacing "fxsst.dll" (Fax Service) documented by Mandiant.
2. Real-World Usage:
Malicious files executed when applications load these unnecessary DLLs.
Attackers achieve code execution, demonstrating the effectiveness of Phantom DLL hijacking.
Example: Replacement of the "fxsst.dll" (Fax Service) DLL in the System32 folder.
DLL Side-Loading:
1. Leveraging Windows SxS Functionality:
Abuses the Windows Side-by-Side (SxS) DLL loading mechanism to introduce an "updated" version of a DLL.
Legitimate feature used by applications to prevent issues with DLL versions.
2. Exploitation Tactics:
Abuses SxS with missing DLLs, relative paths, and shortcuts not considered by application developers.
Used to circumvent AV protections, allowing known good executables to serve as persistence mechanisms.
Example: PlugX RAT utilizes SxS during runtime to load a malicious DLL in memory.
3. Detection and Mitigation:
Identifying new executables and helper files added during an attack.
Continuous monitoring and security awareness to thwart DLL side-loading attempts.
Example: PlugX RAT dropping a legitimate executable and using DLL side-loading during runtime.
Detection and Mitigation:
Identifying new executables and helper files added to the system during an attack is crucial for detecting DLL side-loading. Cybersecurity professionals should stay informed about emerging techniques and deploy comprehensive security measures to thwart these evolving threats.
Conclusion: DLL persistence attacks continue to pose significant challenges in the cybersecurity landscape. Understanding the intricacies of search order hijacking, phantom DLL hijacking, and DLL side-loading is essential for devising effective detection and mitigation strategies.
For Part 5 WMI Event Consumer Backdoors : I have already created a bunch of blogs which help you deep dive in WMI and attacks related to it.
Go on tab Keynotes==> You will find WMI related blogs combined in 1 group:
Happy
Akash Patel
Comments