DLL hijacking is a potent cyber threat where a malicious Dynamic Link Library (DLL) is strategically placed to deceive vulnerable applications. Recently, cybersecurity researchers at Security Joes uncovered a novel DLL hijacking technique that exploits trusted WinSxS executables, allowing threat actors to bypass Windows mechanisms seamlessly.
This innovative technique utilizes DLL Search Order Hijacking, enabling attackers to execute malicious code within Windows folders without requiring extra binaries. Remarkably, it is compatible with both Windows 10 and 11, bypassing high privilege requirements.
The DLL Search Order Hijacking manipulates how Windows apps load DLLs, taking advantage of those without specified file paths. This occurs as apps follow predefined search orders, prioritizing specific directories. The method is effective when apps lack specified full paths due to development oversights.
Understanding the loading process of DLLs and executables in Windows is crucial, as it follows a sequence involving various directories and variables. Exploiting this process allows threat actors to inject unauthorized code into trusted processes, deceiving security tools and experts.
The new DLL hijacking technique proves to be sophisticated and stealthy, enabling threat actors to compromise systems and evade detection. The WinSxS folder, a critical component in Windows OS, is exploited, as it maintains multiple versions of system files and preserves previous versions during updates.
Key Purposes of WinSxS Folder:
- Version Management
- System Integrity
- Dynamic Activation
Advantages of the New DLL Hijacking Technique:
- Circumventing High Privilege Requirements
- Eliminating the Need for Additional Binaries
- Enhancing Stealth
This discovery highlights the evolving landscape of cyber threats, emphasizing the need for constant vigilance and innovative security measures.
