New Variant of DLL Search Order Hijacking Bypasses Home windows 10 and 11 Protections

Jan 01, 2024NewsroomHome windows Safety / Vulnerability

DLL Search Order Hijacking

Safety researchers have detailed a brand new variant of a dynamic hyperlink library (DLL) search order hijacking method that might be utilized by menace actors to bypass safety mechanisms and obtain execution of malicious code on techniques working Microsoft Home windows 10 and Home windows 11.

The strategy “leverages executables generally discovered within the trusted WinSxS folder and exploits them by way of the basic DLL search order hijacking method,” cybersecurity agency Safety Joes mentioned in a brand new report solely shared with The Hacker Information.

In doing so, it permits adversaries to eradicate the necessity for elevated privileges when making an attempt to run nefarious code on a compromised machine in addition to introduce doubtlessly weak binaries into the assault chain, as noticed within the previous.

DLL search order hijacking, because the identify implies, entails gaming the search order used to load DLLs to be able to execute malicious payloads for functions of protection evasion, persistence, and privilege escalation.


Particularly, assaults exploiting the method single out purposes that don’t specify the total path to the libraries they require, and as an alternative, depend on a predefined search order to find the required DLLs on disk.

Menace actors take benefit of this habits by shifting professional system binaries into non-standard directories that embrace malicious DLLs which might be named after professional ones in order that the library containing the assault code is picked up instead of the latter.

DLL Search Order Hijacking

This, in flip, works as a result of the method calling the DLL will search within the listing it is executing from first earlier than recursively iterating by means of different areas in a specific order to find and cargo the useful resource in query. To place it in different phrases, the search order is as follows –

  1. The listing from which the applying is launched
  2. The folder “C:WindowsSystem32”
  3. The folder “C:WindowsSystem”
  4. The folder “C:Home windows”
  5. The present working listing
  6. Directories listed within the system’s PATH atmosphere variable
  7. Directories listed within the person’s PATH atmosphere variable

The novel twist devised by Safety Joes targets recordsdata situated within the trusted “C:WindowsWinSxS” folder. Quick for Home windows side-by-side, WinSxS is a important Home windows element that is used for the customization and updating of the working system to make sure compatibility and integrity.


“This strategy represents a novel software in cybersecurity: historically, attackers have largely relied on well-known strategies like DLL search order hijacking, a technique that manipulates how Home windows purposes load exterior libraries and executables,” Ido Naor, co-founder and CEO of Safety Joes, mentioned in an announcement shared with The Hacker Information.

“Our discovery diverges from this path, unveiling a extra refined and stealthy technique of exploitation.”

The thought, in a nutshell, is to search out weak binaries within the WinSxS folder (e.g., ngentask.exe and aspnet_wp.exe) and mix it with the common DLL search order hijacking strategies by strategically inserting a customized DLL with the identical identify because the professional DLL into an actor-controlled listing to realize code execution.

Consequently, merely executing a weak file within the WinSxS folder by setting the customized folder containing the rogue DLL as the present listing is sufficient to set off the execution of the DLL’s contents with out having to repeat the executable from the WinSxS folder to it.

Safety Joes warned that there might be extra binaries within the WinSxS folder which might be prone to this sort of DLL search order hijacking, necessitating that organizations take ample precautions to mitigate the exploitation technique inside their environments.

“Study parent-child relationships between processes, with a particular concentrate on trusted binaries,” the corporate mentioned. “Monitor carefully all of the actions carried out by the binaries residing within the WinSxS folder, specializing in each community communications and file operations.”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles