CyberSecurityBoard
Sponsor Register Login

New DLL Search Order Hijacking Technique Targets WinSxS Folder

A new DLL search order hijacking technique allows adversaries to load and execute malicious code in applications within Windows' WinSxS folder, incident response company Security Joes reports.
Typically, DLL search order hijacking abuses applications that do not specify the full path of a required library or file, but rely on a predefined search order to locate it.
Attackers place a malicious DLL in a folder prioritized in the search order, typically in the application's working directory, so that it is loaded before the legitimate library the application needs.
In some instances, the attackers also drop a legitimate but vulnerable application to abuse for DLL loading.
According to the cybersecurity firm, attackers can deliberately target files located in the WinSxS folder to make their attacks stealthier while eliminating the need for dropping additional binaries or obtaining high privileges to execute code within applications located in a Windows folder.
The WinSxS folder stores various versions of important system files, including DLLs, ensuring application compatibility and system integrity, and facilitating the activation or deactivation of Windows features without additional installations.
As part of its research, the cybersecurity firm first identified a vulnerable binary within the WinSxS folder, then abused Windows' behavior when searching for system files to ensure that a crafted DLL placed in a custom folder on the desktop is loaded by the binary using DLL search order hijacking.
Some of the binaries in the WinSxS folder, the company discovered, were searching for DLLs in the custom desktop folder, suggesting that they would load the crafted library if it was to be renamed to match the expected DLL file the executables were searching for.
According to Security Joes, an attacker could launch a command from a shell that uses the custom folder as the working directory, without having to move the vulnerable binary outside the WinSxS folder.
By relying on vulnerable executables located in WinSxS, this technique improves and simplifies the infection chain relying on DLL search order hijacking, as it eliminates the need for dropping a vulnerable application.
The technique can be used to target Windows 10 and 11 systems, the cybersecurity firm points out.


This Cyber News was published on www.securityweek.com. Publication date: Tue, 02 Jan 2024 15:43:05 +0000


Cyber News related to New DLL Search Order Hijacking Technique Targets WinSxS Folder

New DLL Search Order Hijacking Technique Targets WinSxS Folder - A new DLL search order hijacking technique allows adversaries to load and execute malicious code in applications within Windows' WinSxS folder, incident response company Security Joes reports. Typically, DLL search order hijacking abuses applications ...
1 year ago Securityweek.com
Attackers Can Bypass Windows Security Using New DLL Hijacking - Threat actors using the DLL Hijacking technique for persistence have been the order of the day and have been utilized in several attacks. This attack method allows bypassing the privilege requirement for executing certain malicious codes on the ...
1 year ago Cybersecuritynews.com
New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections - Security researchers have outlined a fresh variant of a dynamic link library search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and ...
1 year ago Cysecurity.news
Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS - As we know, Dynamic-link library(DLL) Side loading / DLL Hijacking is nothing new, nor is Windows Side-by-Side; however, side loading is handy from an adversarial tradecraft perspective, be it for establishing initial access, persistence, privilege ...
1 year ago Blog.zsec.uk Equation
CVE-2005-2127 - Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for ...
6 years ago
30 Best Cyber Security Search Engines - In recent years, several search engines have been developed that are primarily focused on cyber security. In today's era, having all the necessary resources and search tools related to cyber security is crucial to staying protected against emerging ...
11 months ago Cybersecuritynews.com
New Stealthy Malware 'Waiting Thread Hijacking' Technique Bypasses Modern Defenses - Unlike traditional thread hijacking, which requires suspending and resuming threads using easily monitored APIs like SuspendThread and ResumeThread, WTH targets threads already in a waiting state, eliminating the need for suspicious thread ...
2 months ago Cybersecuritynews.com
Threat Actors Exploiting DLL Side-Loading Vulnerability in Google Chrome to Execute Malicious Payloads - Cybersecurity researchers have identified a concerning new attack vector where threat actors are actively exploiting a vulnerability in Google Chrome version 133.0.6943.126 through DLL side-loading techniques. This sophisticated attack allows ...
3 months ago Cybersecuritynews.com
Frustration grows over Google's AI Overviews feature, how to disable - Since Google enabled its AI-powered search feature, many people have tried and failed to disable the often incorrect AI Overviews feature in regular search results. When you're signed into Google and search for general topics like how to install one ...
1 year ago Bleepingcomputer.com
CVE-2025-4455 - A vulnerability was found in Patch My PC Home Updater up to 5.1.3.0. It has been rated as critical. This issue affects some unknown processing in the library ...
1 month ago
Hackers Employ DLL Side-Loading To Deliver Malicious Python Code - DLL side-loading exploits the Windows DLL search order mechanism, where attackers place malicious DLL files in locations where legitimate applications will load them instead of the intended legitimate libraries. The technique enables attackers to ...
3 months ago Cybersecuritynews.com
Microsoft: Windows 'inetpub' folder created by security fix, don’t delete - While Redmond still has to explain why the security updates are creating this folder in the first place, the company updated the advisory for a Windows Process Activation elevation of privilege vulnerability (tracked as CVE-2025-21204) overnight to ...
2 months ago Bleepingcomputer.com CVE-2025-21204
EFF Helps News Organizations Push Back Against Legal Bullying from Cyber Mercenary Group - For the last several months, there has emerged a campaign of bullying and censorship seeking to wipe out stories about the mercenary hacking campaigns of a less well-known company, Appin Technology, in general, and the company's cofounder, Rajat ...
1 year ago Eff.org
CVE-2005-1990 - Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, ...
3 years ago
Windows "inetpub" security fix can be abused to block future updates - After people installed this month's Microsoft Patch Tuesday security updates, Windows users suddenly found an "inetpub" folder owned by the SYSTEM account created in the root of the system drive, normally the C: drive. In an update to a security ...
1 month ago Bleepingcomputer.com CVE-2025-21204
Purple teaming and the role of threat categorization - Red team assessment, penetration testing, and even purple team assessments are all designed to answer these questions. As attacks get more complex, these assessments struggle to provide comprehensive answers. These assessment services typically test ...
1 year ago Helpnetsecurity.com
Mustang Panda Employs Using Weaponized RAR Archives to Install New ToneShell Malware - The threat actor has been observed utilizing weaponized RAR archives containing malicious DLLs alongside legitimate signed executables to deploy updated variants of ToneShell malware through DLL sideloading techniques. Security researchers have ...
2 months ago Cybersecuritynews.com Mustang Panda
CVE-2018-6765 - Swisscom MySwisscomAssistant 2.17.1.1065 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded. It allows an ...
5 years ago
Why Biden's EO on AI Conflates the Role of Red-Teaming - The recent release of president Joe Biden's executive order on artificial intelligence marks a pivotal step toward establishing standards in an industry that has long operated without comprehensive regulations. What's concerning is the order's broad ...
1 year ago Securityboulevard.com
CVE-2010-3129 - Untrusted search path vulnerability in uTorrent 2.0.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse plugin_dll.dll, userenv.dll, shfolder.dll, dnsapi.dll, ...
7 years ago
CVE-2014-8398 - Multiple untrusted search path vulnerabilities in Corel FastFlick allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) igfxcmrt32.dll, (2) ipl.dll, (3) MSPStyleLib.dll, (4) uFioUtil.dll, (5) ...
6 years ago
CVE-2021-45492 - In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\Sage\Sage300\Runtime directory to be the first entry in the system-wide PATH environment variable. However, this directory is writable by unprivileged users because the ...
1 year ago
Censys unveils two new product tiers to help researchers enhance their threat hunting work - Censys announced two new product tiers of its search tool, Censys Search Solo and Censys Search Teams. These additions are part of a series of strategic initiatives to enhance the security community, including the introduction of Threat Hunting Boot ...
1 year ago Helpnetsecurity.com
Proofpoint Exposes Sophisticated Social Engineering Attack on Recruiters That Infects Their Computers With Malware - Recruiters and anyone else involved in hiring processes should be knowledgeable about this social engineering attack threat. A new report from U.S.-based cybersecurity company Proofpoint exposes a new attack campaign operated by a ...
1 year ago Techrepublic.com
What is SEO Poisoning Attack? - Search engine optimization (SEO) poisoning is a type of cyber attack that infiltrates search results. It consists of malicious search engine results created by an attacker attempting to redirect someone to malicious or vulnerable webpages. It is a ...
2 years ago Heimdalsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)