MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1574.001: DLL Search Order Hijacking

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL.

Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.

Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-1209: Hijack_Load_Path_Library: Loading of libraries whose path is disguised as a legitimate path and contains "/windows/system32/" is detected
mitre_attck_privilege_escalation: PT-CR-1352: PrivEsc_via_StorSvc: A command with system privileges was executed after starting the StorSvc service
mitre_attck_privilege_escalation: PT-CR-460: DLL_Hijacking: An attempt to elevate account privileges by loading a malicious library is detected

Detection

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changed made to .manifest/.local redirection files, or file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious.

IDDS0011Data source and componentModule: Module LoadDescription

Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths.

IDDS0022Data source and componentFile: File CreationDescription

Monitor newly constructed .manifest and .local redirection files that do not correlate with software updates.

Mitigation

IDM1038NameExecution PreventionDescription

Adversaries may use new DLLs to execute this technique. Identify and block potentially malicious software executed through search order hijacking by using application control solutions capable of blocking DLLs loaded by legitimate software.

IDM1044NameRestrict Library LoadingDescription

Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.

Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before local directory DLLs (e.g. a user's home directory)

The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode

IDM1047NameAuditDescription

Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.

Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-by-side problems in software.