Fun with DLL’s — Part 1 — DLL Search Order Hijacking

  • DLL Search Order Hijacking — T1574.001
  • DLL Injection — T1055.001
  • DLL Side-Loading — T1574.002
  1. Application Directory. (i.e. C:\Program Files\MyApp)
  2. System Directory. (i.e. C:\Windows\System32)
  3. 16-bit System Directory. (i.e. C:\Windows\System)
  4. Windows Directory. (i.e. C:\Windows)
  5. Current Directory.
  6. Directories listed in the PATH variable.
  1. MyDLL.dll (legit)
  2. MyDLL.dll (evil)
  3. MyApplication.exe
  • Add and Enable the SafeDLLSearchMode Registry Key described above.
  • Disable Remote Loading of DLLs with the following Keys: HKLM\SYSTEM\CCS\Control\Session Manager\CWDIllegalInDllSearch HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MyApplication.exe\CWDIllegalInDllSearch
  • See here (https://blogs.technet.microsoft.com/srd/2010/08/23/more-information-about-the-dll-preloading-remote-attack-vector/) for instructions on which values to set!
  • Create a rule in Application Control Policies\AppLocker via the Local Policy Editor that only allows signed DLLs to run (Caution: This should be strictly tested and may not be suitable for Large Enterprise use! Consider implementing as a rule with an exception system.)
  • Add critical DLLs to KnownDLLs key. (Caution: There is a performance impact to this and I have not tested it personally.)

--

--

--

Cloud, Security and IT Consulting Services based out of Augusta, GA.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Provision EKS cluster with Terraform and Cloudify

Makers Academy Day 4

“A beginner’s guide to tensor broadcasting in PyTorch”

Putting an AWS Service on a DNS domain apex

From Monolith to Kubernetes Architecture — Part II — Dockerfile

GitLab CI: How to Deploy a Docker image to AWS Elastic Beanstalk from a Private Docker Registry

CSS Prefixes

How Much Does it Cost to Make An App in 2019?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Phantom Byte Consulting, LLC

Phantom Byte Consulting, LLC

Cloud, Security and IT Consulting Services based out of Augusta, GA.

More from Medium

Yogosha Christmas Challenge 2021 Writeup

Internal — OSCP Offensive security proving grounds (practice, easy)

Boss of the SOC v1

SSN -Sharing Security News