CyberSecurityBoard
Sponsor Register Login

New DLL Search Order Hijacking Technique Targets WinSxS Folder

A new DLL search order hijacking technique allows adversaries to load and execute malicious code in applications within Windows' WinSxS folder, incident response company Security Joes reports.
Typically, DLL search order hijacking abuses applications that do not specify the full path of a required library or file, but rely on a predefined search order to locate it.
Attackers place a malicious DLL in a folder prioritized in the search order, typically in the application's working directory, so that it is loaded before the legitimate library the application needs.
In some instances, the attackers also drop a legitimate but vulnerable application to abuse for DLL loading.
According to the cybersecurity firm, attackers can deliberately target files located in the WinSxS folder to make their attacks stealthier while eliminating the need for dropping additional binaries or obtaining high privileges to execute code within applications located in a Windows folder.
The WinSxS folder stores various versions of important system files, including DLLs, ensuring application compatibility and system integrity, and facilitating the activation or deactivation of Windows features without additional installations.
As part of its research, the cybersecurity firm first identified a vulnerable binary within the WinSxS folder, then abused Windows' behavior when searching for system files to ensure that a crafted DLL placed in a custom folder on the desktop is loaded by the binary using DLL search order hijacking.
Some of the binaries in the WinSxS folder, the company discovered, were searching for DLLs in the custom desktop folder, suggesting that they would load the crafted library if it was to be renamed to match the expected DLL file the executables were searching for.
According to Security Joes, an attacker could launch a command from a shell that uses the custom folder as the working directory, without having to move the vulnerable binary outside the WinSxS folder.
By relying on vulnerable executables located in WinSxS, this technique improves and simplifies the infection chain relying on DLL search order hijacking, as it eliminates the need for dropping a vulnerable application.
The technique can be used to target Windows 10 and 11 systems, the cybersecurity firm points out.


This Cyber News was published on www.securityweek.com. Publication date: Tue, 02 Jan 2024 15:43:05 +0000


Cyber News related to New DLL Search Order Hijacking Technique Targets WinSxS Folder

New DLL Search Order Hijacking Technique Targets WinSxS Folder - A new DLL search order hijacking technique allows adversaries to load and execute malicious code in applications within Windows' WinSxS folder, incident response company Security Joes reports. Typically, DLL search order hijacking abuses applications ...
6 months ago Securityweek.com
Attackers Can Bypass Windows Security Using New DLL Hijacking - Threat actors using the DLL Hijacking technique for persistence have been the order of the day and have been utilized in several attacks. This attack method allows bypassing the privilege requirement for executing certain malicious codes on the ...
6 months ago Cybersecuritynews.com
New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections - Security researchers have outlined a fresh variant of a dynamic link library search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and ...
6 months ago Cysecurity.news
Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS - As we know, Dynamic-link library(DLL) Side loading / DLL Hijacking is nothing new, nor is Windows Side-by-Side; however, side loading is handy from an adversarial tradecraft perspective, be it for establishing initial access, persistence, privilege ...
1 month ago Blog.zsec.uk
CVE-2005-2127 - Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for ...
5 years ago
30 Best Cyber Security Search Engines - In recent years, several search engines have been developed that are primarily focused on cyber security. In today's era, having all the necessary resources and search tools related to cyber security is crucial to staying protected against emerging ...
6 days ago Cybersecuritynews.com
Frustration grows over Google's AI Overviews feature, how to disable - Since Google enabled its AI-powered search feature, many people have tried and failed to disable the often incorrect AI Overviews feature in regular search results. When you're signed into Google and search for general topics like how to install one ...
1 month ago Bleepingcomputer.com
How to lock a file or folder in MacOS Finder - Of course, when you have those types of sensitive documents, you'd want them stored more securely than within a locked file. If the files are less sensitive yet you still don't want anyone monkeying with them, MacOS Finder has a feature that can help ...
5 months ago Zdnet.com
What Is the Android Files Safe Folder and How Do You Use It? - The Android Files safe folder is a great way to ensure that your files and data remain safe and secure on your Android device. The Files safe folder is a feature of the Android Files app, a part of the Google Files suite of app. This folder ...
1 year ago Zdnet.com
Purple teaming and the role of threat categorization - Red team assessment, penetration testing, and even purple team assessments are all designed to answer these questions. As attacks get more complex, these assessments struggle to provide comprehensive answers. These assessment services typically test ...
5 months ago Helpnetsecurity.com
EFF Helps News Organizations Push Back Against Legal Bullying from Cyber Mercenary Group - For the last several months, there has emerged a campaign of bullying and censorship seeking to wipe out stories about the mercenary hacking campaigns of a less well-known company, Appin Technology, in general, and the company's cofounder, Rajat ...
4 months ago Eff.org
CVE-2005-1990 - Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, ...
2 years ago
Why Biden's EO on AI Conflates the Role of Red-Teaming - The recent release of president Joe Biden's executive order on artificial intelligence marks a pivotal step toward establishing standards in an industry that has long operated without comprehensive regulations. What's concerning is the order's broad ...
6 months ago Securityboulevard.com
Proofpoint Exposes Sophisticated Social Engineering Attack on Recruiters That Infects Their Computers With Malware - Recruiters and anyone else involved in hiring processes should be knowledgeable about this social engineering attack threat. A new report from U.S.-based cybersecurity company Proofpoint exposes a new attack campaign operated by a ...
6 months ago Techrepublic.com
CVE-2018-6765 - Swisscom MySwisscomAssistant 2.17.1.1065 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded. It allows an ...
4 years ago
CVE-2010-3129 - Untrusted search path vulnerability in uTorrent 2.0.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse plugin_dll.dll, userenv.dll, shfolder.dll, dnsapi.dll, ...
6 years ago
CVE-2014-8398 - Multiple untrusted search path vulnerabilities in Corel FastFlick allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) igfxcmrt32.dll, (2) ipl.dll, (3) MSPStyleLib.dll, (4) uFioUtil.dll, (5) ...
5 years ago
CVE-2021-45492 - In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\Sage\Sage300\Runtime directory to be the first entry in the system-wide PATH environment variable. However, this directory is writable by unprivileged users because the ...
10 months ago
Censys unveils two new product tiers to help researchers enhance their threat hunting work - Censys announced two new product tiers of its search tool, Censys Search Solo and Censys Search Teams. These additions are part of a series of strategic initiatives to enhance the security community, including the introduction of Threat Hunting Boot ...
6 months ago Helpnetsecurity.com
What is SEO Poisoning Attack? - Search engine optimization (SEO) poisoning is a type of cyber attack that infiltrates search results. It consists of malicious search engine results created by an attacker attempting to redirect someone to malicious or vulnerable webpages. It is a ...
1 year ago Heimdalsecurity.com
QuasarRAT Deploys Advanced DLL Side-Loading Technique - A recent research report by Uptycs has highlighted the evolution of QuasarRAT, an open-source remote administration tool known for its lightweight nature and range of malicious functions. According to an advisory published on Friday by Uptycs ...
7 months ago Infosecurity-magazine.com
From Social Engineering to DMARC Abuse: TA427's Art of Information Gathering - Key takeaways  TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially ...
2 months ago Proofpoint.com
Biden Issues Executive Order on Safe, Secure AI - President Biden has issued an Executive Order to establish new standards for AI safety and security. The order follows previous actions the President has taken on responsible innovation, including work that led to 15 leading tech companies pledging ...
7 months ago Infosecurity-magazine.com
East Texas hospital network can't receive ambulances because of potential cybersecurity incident - GetTime();if(!(u<=a&&d<=l throw new RangeError("Invalid interval");return r.inclusive?u<=l&&d<=a:ut||isNaN(t. Step):1;if(s<1||isNaN(s throw new RangeError("`options. Step):1;if(l<1||isNaN(l throw new RangeError("`options. GetTime()<=n throw new ...
7 months ago Cnn.com
CVE-2019-18670 - In the Quick Access Service (QAAdminAgent.exe) in Acer Quick Access V2.01.3000 through 2.01.3027 and V3.00.3000 through V3.00.3008, a REGULAR user can load an arbitrary unsigned DLL into the signed service's process, which is running as NT ...
2 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)