DLL Search Order Hijacking
|DLL Search Order Hijacking|
|Tactic||Defense Evasion, Persistence, Privilege Escalation|
|System Requirements||Ability to add a DLL, manifest file, or .local file, directory, or junction.|
|Permissions Required||User, Administrator, SYSTEM|
|Effective Permissions||User, Administrator, SYSTEM|
|Data Sources||File monitoring, DLL monitoring, Process command-line parameters, Process monitoring|
|Defense Bypassed||Process whitelisting|
|Contributors||Stefan Kanthak, Travis Smith, Tripwire|
Windows systems use a common method to look for required DLLs to load into a program.1 Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.
Adversaries may perform DLL preloading, also called binary planting attacks,2 by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL.3 Adversaries may use this behavior to cause the program to load a malicious DLL.
Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation.456
If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.
Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
- menuPass has used DLL search order hijacking.7
- Downdelph uses DLL search order hijacking of the Windows executable sysprep.exe to escalate privileges.8
- HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.9
- Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.10
- RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.11
- Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to
Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g.
%SYSTEMROOT%)to be used before local directory DLLs (e.g. a user's home directory). The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at
Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.15
Identify and block potentially malicious software that may be executed through search order hijacking by using whitelisting16 tools like AppLocker1718 that are capable of auditing and/or blocking unknown DLLs.
Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.
- Microsoft. (n.d.). Dynamic-Link Library Search Order. Retrieved November 30, 2014.
- OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016.
- Microsoft. (2010, August 22). Microsoft Security Advisory 2269637 Released. Retrieved December 5, 2014.
- Microsoft. (n.d.). Dynamic-Link Library Redirection. Retrieved December 5, 2014.
- Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.
- Mandiant. (2010, August 31). DLL Search Order Hijacking Revisited. Retrieved December 5, 2014.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- Microsoft. (2010, August 12). More information about the DLL Preloading remote attack vector. Retrieved December 5, 2014.
- Microsoft. (n.d.). A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm. Retrieved December 6, 2017.
- PowerSploit. (n.d.). Retrieved December 4, 2014.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.