📓
Red Team Notes 2.0
  • Introduction
  • Red Team
  • Red Team Techniques
    • Initial Access
      • T1659: Content Injection
      • T1190: Exploit Public-Facing Applications
        • Rejetto HTTP File Server (HFS) 2.3
      • T1133: External Remote Services
        • SMB/Windows Admin Shares
        • RDP Service
      • T1566: Phishing
        • Phishing: Spearphishing via Service
        • Phishing: Spearphishing Link
          • Links: Social Engineering Toolkit
          • Links: Binaries
          • Links: HTA Files
        • Phishing: Spearphishing Attachment
          • Attachments: LNK Files
          • Attachments: SCR Files
          • Attachments: Dynamic Data Exchange
          • Attachments: Macros
          • Attachments: Macros - Linux
          • Attachments: Scripting Files
          • Attachments: Desktop Files
      • T1195: Supply Chain Compromise
        • Compromise Hardware Supply Chain
        • Compromise Software Supply Chain
        • Compromise Software Dependencies and Development Tools
      • T1078: Valid Accounts
        • Local Accounts
        • Domain Accounts
        • Default Accounts
      • T1199: Trusted Relationship
    • Execution
      • T1047:Windows Management Instrumentation
      • T1204: User Execution
        • Malicious File
        • Malicious Link
      • T1569: Service Execution
      • T1053: Scheduled Tasks/Job
        • Shared Modules
        • Scheduled Task
        • At (Windows)
      • T1106: Native API
      • T1559: Inter-Process Communication
        • Dynamic Data Exchange
        • Component Object Model
      • T1203: Exploitation for Client Execution
        • Common Third-Party Applications
        • Office Applications
      • T1059: Command and Scripting Interpreter
        • Network Device CLI
        • JavaScript/JScript
        • Python
        • Visual Basic
        • Unix Shell
        • Windows Command Shell
        • PowerShell
        • AutoHotKey & AutoIT
        • Deploy Container
        • Native API - Linux
    • Persistence
      • T1574: Hijack Execution Flow
        • Service File permissions Weakness
        • Path Interception by Unquoted Path
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
        • Dynamic Linker Hijacking
      • T1133:External Remote Services
        • SMB/Windows Admin Shares
        • RDP Service
      • T1546:Event Triggered Execution
        • Component Object Model Hijacking
        • PowerShell Profile
        • Application Shimming
        • Accessibility Features
        • Netsh Helper DLL
        • Screensaver
        • Default File Association
        • Unix Shell Configuration Modification
        • Trap
        • Installer Packages
      • T1543:Create or Modify System Process
        • Windows Services
        • Systemd Service
      • T1136: Create Account
        • Domain Account
        • Local Account
      • T1554:Compromise Client Software Binary
      • T1547:Boot or Logon AutoStart Execution
        • Shortcut Modification
        • Winlogon Helper DLL
        • Time Providers
        • Registry Run Keys / Startup Folder
      • T1037: Boot or Logon Initialization Scripts
        • RC Scripts
      • T1197: BITS Jobs
      • T1053: Scheduled Tasks/Job
        • Shared Modules
        • Scheduled Task
        • At (Windows)
        • Cron
        • Systemd Timers
      • T1098: Account Manipulation
        • SSH Authorized Keys
      • T1556: Modify Authentication Process
        • Pluggable Authentication Modules
      • T1653: Power Settingss
      • T1505: Server Software Component
        • WebShell
    • Privilege Escalation
      • T1546:Event Triggered Execution
        • PowerShell Profile
        • Component Object Model Hijacking
        • Application Shimming
        • Accessibility Features
        • Screensaver
        • Default File Association
      • T1612: Build Image on Host
      • T1574: Hijack Execution Flow
        • Service File permissions Weakness
        • Path Interception by Unquoted Path
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
      • T1543:Create or Modify System Process
        • Windows Services
      • T1547:Boot or Logon AutoStart Execution
        • Winlogon Helper DLL
        • Shortcut Modification
        • Time Providers
        • Registry Run Keys / Startup Folder
      • T1134: Access Token Manipulation
        • Parent PID Spoofing
        • Make and Impersonate Token
        • Create Process with Token
        • Token Impersonation/Theft
      • T1548: Abuse Elevation Control Mechanism
        • Bypass User Account Control
        • Setuid and Setgid
        • Sudo and Sudo Caching
      • T1611: Escape to Host
    • Defense Evasion
      • T1497: Virtualization/Sandbox Evasion
        • Time Based Evasion
        • User Activity Based Checks
        • System Checks
      • T1550: Use Alternate Authentication Material
        • Pass the Ticket
        • Pass the Hash
      • T1127: Trusted Developer Utilities Proxy Execution
        • MSBuild
      • T1221: Template Injection
      • T1553: Subvert Trust Controls
        • SIP and Trust Provider Hijacking
        • Code Signing
      • T1216: Signed Script Proxy Execution
      • T1218: Signed Binary Proxy Execution
        • Compiled HTML File
        • Control Panel
        • CMSTP
        • InstallUtil
        • MSHTA
        • MSIEXEC
        • ODBCCONF
        • Regsvcs/Regasm
        • Regsvr32
        • Rundll32
        • Verclsid
      • T1055: Process Injection
        • Dynamic-Link Library Injection
        • Portable Execution Injection
        • Thread Execution Hijacking
        • Asynchronous Procedure Call
        • Thread Local Storage
        • Extra Window Memory Injection
        • Process Hollowing
        • Process Doppelganging
      • T0127: Obfuscated Files or Information
        • Binary Padding
        • Software Packing
        • Steganography
        • Compile After Delivery
        • Indicator Removal from Tools
      • T1036: Masquerading
        • Invalid Code Signature
        • Right-to-Left-Override
        • Rename System Utilities
        • Masquerade Task or Service
        • Match Legitimate Name or location
      • T1202: Indirect Command Execution
      • T1562: Impair Defenses
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Disable or Modify System Firewall
        • Disable or Modify Linux Audit System
        • Indicator Blocking
      • T1070: Indicator Removal on Host
        • Clear Windows Event Logs
        • Clear Command History
        • File Deletion
        • Network Share Connection Removal
        • TimeStomping
      • T1574: Hijack Execution Flow
        • Path Interception by Unquoted Path
        • Service File permissions Weakness
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
      • T1564: Hide Artifacts
        • VBA Stomping
        • Run Virtual Instance
        • NTFS File Attributes
        • Hidden Window
        • Hidden File System
        • Hidden Users
        • Ignore Process Interrupts
        • File/Path Exclusions
        • Hidden Files and Directories
      • T1222: File Directory Permissions Modification
        • Linux and Mac File and Directory Permissions Modification
        • Windows File and Directory Permissions Modification
      • T1480: Execution Guardrails
        • Environmental Keying Linux
        • Environmental Keying
      • T1197: BITS Jobs
      • T1134: Access Token Manipulation
        • Parent PID Spoofing
        • Make and Impersonate Token
        • Create Process with Token
        • Token Impersonation/Theft
      • T1548: Abuse Elevation Control Mechanism
        • Bypass User Account Control
      • De-obfuscate/Decode Files or Information
    • Credential Access
      • T1552: Unsecured Credentials
        • Group Policy Preferences
        • Private Keys
        • Credentials in Registry
        • Credentials in Files
      • T1558: Steal or Forge Kerberos Tickets
        • AS-REP Roasting
        • Kerberoasting
        • Silver Ticket
        • Golden Ticket
      • T1003: OS Credential Dumping
        • DCSync
        • Cached Domain Credentials
        • LSA Secrets
        • NTDS
        • Security Account Manager
        • LSASS Memory
      • T1040: Network Sniffing
      • T1556: Modify Authentication Process
        • Password Filter DLL
        • Domain Controller Authentication
      • T1557: Man-in-the-Middle
        • Arp Cache Poisoning
        • LLMNR/NBT-NS Poisoning and SMB Relay
      • T1056: Input Capture
        • Web Portal Capture
        • GUI Input Capture
        • Keylogging
      • T1187: Forced Authentication
      • T1555: Credentials from Password Stores
        • Credentials from Web Browsers
      • T1110: Brute Force
        • Credential Stuffing
        • Password Spraying
        • Password Cracking
        • Password Guessing
    • Discovery
      • T1124: System Time Discovery
      • T1007: System Service Disvcovery
      • T1033: System Owner/User Directory
      • T1049: System Network Connections Discovery
      • T1016: System Network Configuration Discovery
      • T1082: System Information Discovery
      • T1518: Software Discovery
        • Security Software Discovery
      • T1018: Remote System Discovery
      • T1012: Query Registry
      • T1057: Process Discovery
      • T1069: Permissions Groups Discovery
        • Local Groups
        • Domain Groups
      • T1120: Peripheral Device Discovery
      • T1201: Password Policy Discovery
      • T1040: Network Sniffing
      • T1135: Network Share Discovery
      • T1046: Network Servie Scanning
      • T1083: File and Directory Discovery
      • T1486: Domain Trust Discovery
      • T1217: Browser Bookmark Discovery
      • T1010: Application Window Discovery
      • T1087: Account Discovery
        • Domain Account
        • Local Account
    • Lateral Movement
      • T1080: Taint Shared Content
      • T1072: Software Deployment Tools
      • T1021: Remote Services
        • Windows Remote Management
        • VNC
        • Distributed Component Object Model
        • SMB/Windows Admin Shares
        • Remote Desktop Protocol
      • T1563: Remote Service Session Hijacking
        • RDP Hijacking
      • T1570: Lateral Tool Transfer
      • T1534: Internal Spearphishing
      • T1210: Exploitation of Remote Services
      • T1550 Use Alternate Authentication Material
        • Pass the Ticket
        • Pass the Hash
  • Active Directory
    • Active Directory
      • Lightweight Directory Access Protocol
      • Kerberos
      • Forest, Tress and Domains
    • Active Directory Attacks
      • Kerberoasting
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Golden Tickets
      • Silver Tickets
      • Skeleton Keys
      • Active Directory Certificate Services
      • NTLMRelay
      • AS-REP Roasting
  • Red Team Infrastructure
    • RED TEAM INFRASTRUCTURE
    • Domain Name and Categorization
    • Reconnaissance
      • Passive
      • Active
    • Weaponization
      • Macros
      • HTA
      • ZIP
      • ISO
    • Delivery
      • Gophish
      • EvilGinx
      • PwnDrop
  • Situational Awareness
    • Covenant and C#
    • Empire and PowerShell
  • Credential Dumping
    • Mimikatz
    • Lsass Dumping
    • SharpChromium
  • Persistence
    • Userland Persistence
    • Elevated Persistence
  • Defense Evasion
    • Disable or Modify Tools
    • Obfuscating Files
  • Privilege Escalation
    • PowerUp
    • PrivescCheck
  • Lateral Movement
    • RDP
    • PowerShell Remoting
  • Files
    • Red Team Guide
Powered by GitBook
On this page

Was this helpful?

  1. Red Team Techniques
  2. Persistence
  3. T1574: Hijack Execution Flow

DLL Search Order Hijacking

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program, Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL.

Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL.

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

Let us see some examples:

In Windows Environments when an application or a service is starting it looks for a number of DLL's in order to function properly. If these DLL's doesn't exist or are implemented in an insecure way (DLL's are called without using a fully qualified path) then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL File.

It should be noted that when an application needs to load a DLL it will go through the following order:

· The directory which the application is loaded.

· C:\Windows\System32

· C:\Windows\System

· C:\Windows

· The current working directory

· Directories in the system PATH environment variable

· Directories in the user PATH environment variable

A fast way to Hijack and Find any DLL Hijacking is using PowerSploits, Find-PathDLLHijack, Find-ProcessDLLHijack, Invoke-AllChecks. We can check that powersploit will tell us where the hijack is located and what command to use next to hijack the process immediately.

We will work with Administrator Privileges in this example, not completely necessary if you can find a user with misconfiguration permission where they are allowed to WRITE, crazy right!!?, who would do that!!?

Procmon

For this technique I will use Procmon, as this is a great toll to view what a program is loading at run time, there are also other great tools from PowerSploit that will verify this Vulnerability, other tools such as SharpUp from GhostPack it is a tool written in C#.

Our Process in this sample is Winamp.

Winamp is a media player for Microsoft Windows it was a very popular and widely used media player back in the early 2000's, in the version we are currently working on it contains a DLL Hijack vulnerability as it is trying to load many different DLL files inexistent in its current directory, we can verify this with Procmon.

Wow, many potential hijacks, so our next step is to choose a DLL we wish to hijack, I will use the DLL . I will use a DLL this time to receive a reverse shell. My focus will be on vcruntime140d.dll

What happens when the program cannot find the DLL, it start following an order to locate the DLL

Let us take a look and see what happens if I rename it, how will the order continue.

Now I will add this DLL to any of the other paths that are seen above see if it loads it and gives me a shell.

Once added:

We can simply start the process and check the results

And this time it did find it.

References:

PreviousDLL Side-LoadingNextDynamic Linker Hijacking

Last updated 4 years ago

Was this helpful?

LogoAutomating DLL Hijack DiscoveryMedium
LogoWindows DLL Hijacking (Hopefully) Clarified | itm4n's blog