New DLL Search Order Hijacking Technique Targets WinSxS Folder

A new DLL search order hijacking technique allows adversaries to load and execute malicious code in applications within Windows' WinSxS folder, incident response company Security Joes reports.
Typically, DLL search order hijacking abuses applications that do not specify the full path of a required library or file, but rely on a predefined search order to locate it.
Attackers place a malicious DLL in a folder prioritized in the search order, typically in the application's working directory, so that it is loaded before the legitimate library the application needs.
In some instances, the attackers also drop a legitimate but vulnerable application to abuse for DLL loading.
According to the cybersecurity firm, attackers can deliberately target files located in the WinSxS folder to make their attacks stealthier while eliminating the need for dropping additional binaries or obtaining high privileges to execute code within applications located in a Windows folder.
The WinSxS folder stores various versions of important system files, including DLLs, ensuring application compatibility and system integrity, and facilitating the activation or deactivation of Windows features without additional installations.
As part of its research, the cybersecurity firm first identified a vulnerable binary within the WinSxS folder, then abused Windows' behavior when searching for system files to ensure that a crafted DLL placed in a custom folder on the desktop is loaded by the binary using DLL search order hijacking.
Some of the binaries in the WinSxS folder, the company discovered, were searching for DLLs in the custom desktop folder, suggesting that they would load the crafted library if it was to be renamed to match the expected DLL file the executables were searching for.
According to Security Joes, an attacker could launch a command from a shell that uses the custom folder as the working directory, without having to move the vulnerable binary outside the WinSxS folder.
By relying on vulnerable executables located in WinSxS, this technique improves and simplifies the infection chain relying on DLL search order hijacking, as it eliminates the need for dropping a vulnerable application.
The technique can be used to target Windows 10 and 11 systems, the cybersecurity firm points out.

This Cyber News was published on www.securityweek.com. Publication date: Tue, 02 Jan 2024 15:43:05 +0000

Cyber News related to New DLL Search Order Hijacking Technique Targets WinSxS Folder

New DLL Search Order Hijacking Technique Targets WinSxS Folder - A new DLL search order hijacking technique allows adversaries to load and execute malicious code in applications within Windows' WinSxS folder, incident response company Security Joes reports. Typically, DLL search order hijacking abuses applications ...
1 year ago Securityweek.com

Attackers Can Bypass Windows Security Using New DLL Hijacking - Threat actors using the DLL Hijacking technique for persistence have been the order of the day and have been utilized in several attacks. This attack method allows bypassing the privilege requirement for executing certain malicious codes on the ...
1 year ago Cybersecuritynews.com

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections - Security researchers have outlined a fresh variant of a dynamic link library search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and ...
1 year ago Cysecurity.news

Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS - As we know, Dynamic-link library(DLL) Side loading / DLL Hijacking is nothing new, nor is Windows Side-by-Side; however, side loading is handy from an adversarial tradecraft perspective, be it for establishing initial access, persistence, privilege ...
8 months ago Blog.zsec.uk

CVE-2005-2127 - Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for ...
6 years ago

30 Best Cyber Security Search Engines - In recent years, several search engines have been developed that are primarily focused on cyber security. In today's era, having all the necessary resources and search tools related to cyber security is crucial to staying protected against emerging ...
7 months ago Cybersecuritynews.com

Frustration grows over Google's AI Overviews feature, how to disable - Since Google enabled its AI-powered search feature, many people have tried and failed to disable the often incorrect AI Overviews feature in regular search results. When you're signed into Google and search for general topics like how to install one ...
8 months ago Bleepingcomputer.com

EFF Helps News Organizations Push Back Against Legal Bullying from Cyber Mercenary Group - For the last several months, there has emerged a campaign of bullying and censorship seeking to wipe out stories about the mercenary hacking campaigns of a less well-known company, Appin Technology, in general, and the company's cofounder, Rajat ...
11 months ago Eff.org

Purple teaming and the role of threat categorization - Red team assessment, penetration testing, and even purple team assessments are all designed to answer these questions. As attacks get more complex, these assessments struggle to provide comprehensive answers. These assessment services typically test ...
1 year ago Helpnetsecurity.com

CVE-2005-1990 - Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, ...
3 years ago

Why Biden's EO on AI Conflates the Role of Red-Teaming - The recent release of president Joe Biden's executive order on artificial intelligence marks a pivotal step toward establishing standards in an industry that has long operated without comprehensive regulations. What's concerning is the order's broad ...
1 year ago Securityboulevard.com

CVE-2018-6765 - Swisscom MySwisscomAssistant 2.17.1.1065 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded. It allows an ...
5 years ago

CVE-2010-3129 - Untrusted search path vulnerability in uTorrent 2.0.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse plugin_dll.dll, userenv.dll, shfolder.dll, dnsapi.dll, ...
7 years ago

CVE-2014-8398 - Multiple untrusted search path vulnerabilities in Corel FastFlick allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) igfxcmrt32.dll, (2) ipl.dll, (3) MSPStyleLib.dll, (4) uFioUtil.dll, (5) ...
6 years ago

Proofpoint Exposes Sophisticated Social Engineering Attack on Recruiters That Infects Their Computers With Malware - Recruiters and anyone else involved in hiring processes should be knowledgeable about this social engineering attack threat. A new report from U.S.-based cybersecurity company Proofpoint exposes a new attack campaign operated by a ...
1 year ago Techrepublic.com

CVE-2021-45492 - In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\Sage\Sage300\Runtime directory to be the first entry in the system-wide PATH environment variable. However, this directory is writable by unprivileged users because the ...
1 year ago

Censys unveils two new product tiers to help researchers enhance their threat hunting work - Censys announced two new product tiers of its search tool, Censys Search Solo and Censys Search Teams. These additions are part of a series of strategic initiatives to enhance the security community, including the introduction of Threat Hunting Boot ...
1 year ago Helpnetsecurity.com

What is SEO Poisoning Attack? - Search engine optimization (SEO) poisoning is a type of cyber attack that infiltrates search results. It consists of malicious search engine results created by an attacker attempting to redirect someone to malicious or vulnerable webpages. It is a ...
2 years ago Heimdalsecurity.com

QuasarRAT Deploys Advanced DLL Side-Loading Technique - A recent research report by Uptycs has highlighted the evolution of QuasarRAT, an open-source remote administration tool known for its lightweight nature and range of malicious functions. According to an advisory published on Friday by Uptycs ...
1 year ago Infosecurity-magazine.com

Biden Issues Executive Order on Safe, Secure AI - President Biden has issued an Executive Order to establish new standards for AI safety and security. The order follows previous actions the President has taken on responsible innovation, including work that led to 15 leading tech companies pledging ...
1 year ago Infosecurity-magazine.com

From Social Engineering to DMARC Abuse: TA427's Art of Information Gathering - Key takeaways  TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially ...
9 months ago Proofpoint.com

CVE-2024-45022 - In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 The __vmap_pages_range_noflush() assumes its argument pages** contains pages with the same ...
4 months ago Tenable.com

East Texas hospital network can't receive ambulances because of potential cybersecurity incident - GetTime();if(!(u<=a&&d<=l throw new RangeError("Invalid interval");return r.inclusive?u<=l&&d<=a:ut||isNaN(t. Step):1;if(s<1||isNaN(s throw new RangeError("`options. Step):1;if(l<1||isNaN(l throw new RangeError("`options. GetTime()<=n throw new ...
1 year ago Cnn.com

CVE-2018-6766 - Swisscom TVMediaHelper 1.1.0.50 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded. It allows an attacker to ...
5 years ago

CVE-2019-18670 - In the Quick Access Service (QAAdminAgent.exe) in Acer Quick Access V2.01.3000 through 2.01.3027 and V3.00.3000 through V3.00.3008, a REGULAR user can load an arbitrary unsigned DLL into the signed service's process, which is running as NT ...
3 years ago

Latest Cyber News

CVE-2025-24982 - 5 hours ago
CVE-2025-22475 - 7 hours ago
CVE-2025-1003 - 10 hours ago
CVE-2025-0148 - 11 hours ago
CVE-2025-24957 - 12 hours ago
CVE-2025-24958 - 12 hours ago
CVE-2025-22129 - 12 hours ago
CVE-2025-23210 - 12 hours ago
CVE-2025-24029 - 12 hours ago
CVE-2025-24371 - 12 hours ago
CVE-2025-24901 - 12 hours ago
CVE-2025-24902 - 12 hours ago
CVE-2025-24905 - 12 hours ago
CVE-2025-24906 - 12 hours ago
CVE-2024-35177 - 12 hours ago
CVE-2024-47770 - 12 hours ago
CVE-2025-24960 - 13 hours ago
CVE-2025-24961 - 13 hours ago
CVE-2025-24962 - 13 hours ago
CVE-2025-22918 - 13 hours ago

Cyber Trends (last 7 days)

Okta - 1 year ago
23andMe - 1 year ago
Kimsuky - 1 year ago
LogoFAIL - 1 year ago
Gh0st rat - 1 year ago

Trending Cyber News (last 7 days)

CVE-2024-20141 - 1 day ago
CVE-2024-20142 - 1 day ago
CVE-2024-20147 - 1 day ago
CVE-2025-20631 - 1 day ago
CVE-2025-20632 - 1 day ago
CVE-2025-20633 - 1 day ago
CVE-2025-20634 - 1 day ago
CVE-2025-20635 - 1 day ago
CVE-2025-20636 - 1 day ago
CVE-2025-20637 - 1 day ago
CVE-2025-20638 - 1 day ago
CVE-2025-20639 - 1 day ago
CVE-2025-20640 - 1 day ago
CVE-2025-20641 - 1 day ago
CVE-2025-20642 - 1 day ago
CVE-2025-20643 - 1 day ago
CVE-2025-25062 - 1 day ago
CVE-2025-25063 - 1 day ago
CVE-2024-57966 - 1 day ago
CVE-2024-13347 - 1 day ago