Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique DLL Search Order Hijacking
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
DLL Search Order Hijacking
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Hijack Execution Flow:  DLL Search Order Hijacking

ID Name
.001 DLL Search Order Hijacking
.002 DLL Side-Loading
.004 Dylib Hijacking
.005 Executable Installer File Permissions Weakness
.006 Dynamic Linker Hijacking
.007 Path Interception by PATH Environment Variable
.008 Path Interception by Search Order Hijacking
.009 Path Interception by Unquoted Path
.010 Services File Permissions Weakness
.011 Services Registry Permissions Weakness
.012 COR_PROFILER
.013 KernelCallbackTable

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking) If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

ID: T1574.001
Sub-technique of:  T1574
Tactic(s): Defense Evasion, Persistence, Privilege Escalation
Platforms: Windows
Data Sources: File: File Creation, File: File Modification, Module: Module Load
Version: 1.1
Created: 13 Mar 2020
Last Modified: 26 Apr 2021

Procedure Examples
Name Description
RTM

RTM has used search order hijacking to force TeamViewer to load a malicious DLL.(Citation: Group IB RTM August 2019)
Tonto Team

Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.(Citation: ESET Exchange Mar 2021)
HTTPBrowser

HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.(Citation: ZScaler Hacking Team)
WEBC2

Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\WINDOWS\ntshrui.dll).(Citation: Mandiant APT1 Appendix)
Hikit

Hikit has used DLL Search Order Hijacking to load oci.dll as a persistence mechanism.(Citation: FireEye Hikit Rootkit)
Whitefly

Whitefly has used search order hijacking to run the loader Vcrodat.(Citation: Symantec Whitefly March 2019)

FinFisher

A FinFisher variant uses DLL search order hijacking.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017)
Aquatic Panda

Aquatic Panda has used DLL search-order hijacking to load `exe`, `dll`, and `dat` files into memory.(Citation: CrowdStrike AQUATIC PANDA December 2021)
RedLeaves

RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.(Citation: FireEye APT10 April 2017)
PlugX

PlugX has the ability to use DLL search order hijacking for installation on targeted systems.(Citation: Proofpoint TA416 Europe March 2022)
Ramsay

Ramsay can hijack outdated Windows application dependencies with malicious versions of its own DLL payload.(Citation: Eset Ramsay May 2020)

Evilnum

Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.(Citation: ESET EvilNum July 2020)

Prikormka

Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.(Citation: ESET Operation Groundbait)
Astaroth

Astaroth can launch itself via DLL Search Order Hijacking.(Citation: Securelist Brazilian Banking Malware July 2020)
Melcoz

Melcoz can use DLL hijacking to bypass security controls.(Citation: Securelist Brazilian Banking Malware July 2020)
MirageFox

MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary.(Citation: APT15 Intezer June 2018)
PowerSploit

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)
FoggyWeb

FoggyWeb's loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate `version.dll` during the `Microsoft.IdentityServer.ServiceHost.exe` execution process.(Citation: MSTIC FoggyWeb September 2021)
WastedLocker

WastedLocker has performed DLL hijacking before execution.(Citation: NCC Group WastedLocker June 2020)
Crutch

Crutch can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive.(Citation: ESET Crutch December 2020)
Chaes

Chaes has used search order hijacking to load a malicious DLL.(Citation: Cybereason Chaes Nov 2020)
InvisiMole

InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.(Citation: ESET InvisiMole June 2018)
Threat Group-3390

Threat Group-3390 has performed DLL search order hijacking to execute their payload.(Citation: Nccgroup Emissary Panda May 2018)
BackdoorDiplomacy

BackdoorDiplomacy has executed DLL search order hijacking.(Citation: ESET BackdoorDiplomacy Jun 2021)
BOOSTWRITE

BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.(Citation: FireEye FIN7 Oct 2019)
Empire

Empire contains modules that can discover and exploit various DLL hijacking opportunities.(Citation: Github PowerShell Empire)
Downdelph

Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.(Citation: ESET Sednit Part 3)
APT41

APT41 has used search order hijacking to execute malicious payloads, such as Winnti RAT.(Citation: Crowdstrike GTR2020 Mar 2020)
menuPass

menuPass has used DLL search order hijacking.(Citation: PWC Cloud Hopper April 2017)

Mitigations
Mitigation Description
Execution Prevention

Block execution of code on a system through application control, and/or script blocking.
Restrict Library Loading

Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Detection

Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of `.manifest` and `.local` redirection files that do not correlate with software updates are suspicious.

References

  1. Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020.
  2. Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.
  3. Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020.
  4. Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved March 13, 2020.
  5. Harbour, N. (2011, June 3). What the fxsst?. Retrieved November 17, 2020.
  6. OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016.
  7. Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020.
  8. Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.
  9. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  10. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  11. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  12. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  13. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  14. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  15. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  16. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  17. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  18. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  19. Gerend, J. et al.. (2017, October 16). sxstrace. Retrieved April 26, 2021.
  20. PowerSploit. (n.d.). Retrieved December 4, 2014.
  21. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  22. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020.
  23. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  24. Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.
  25. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  26. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  27. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  28. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  29. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  30. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  31. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  32. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  33. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  34. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  35. Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.
  36. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.
  37. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  38. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  39. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  40. FinFisher. (n.d.). Retrieved December 20, 2017.
  41. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
Навигация

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.