📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page

Was this helpful?

  1. Privesc

DLL Search Order Hijacking

PreviousAccess Token ManipulationNextExploitation for Privesc

Last updated 5 years ago

Was this helpful?

Windows systems use a common method to look for required DLLs to load into a program. Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.

Adversaries may perform DLL preloading, also called binary planting attacks, by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a programs sets its current directory to a remote location such as a Web share before loading a DLL.Adversaries may use this behavior to cause the program to load a malicious DLL.

Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation.

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary -controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.

Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

Let's set some examples

In Windows environments when an application or a service is starting it looks for a number of DLL's in order to function properly. If these DLL's doesn't exist or are implemented in an insecure way (DLL's are called without suing a fully qualified path) then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL file.

It should be noted that when an application needs to load DLL it will go through the following order:

  • The directory from which the application is loaded.

  • C:\Windows\System32

  • C:\Windows\System

  • C:\Windows

  • The current working directory

  • Directories in the system PATH environment variable

  • Directories in the user PATH environment variable

A fast way to Hijack and Find any DLL hijacking is using Powersploits, Find-PathhDLlHijack, Find-ProcessDLLHijack, Invoke-AllChecks. We can check that powersploit will tell us where the hijack is located and what command to use next to hijack the process immediately.

We can paste the Abuse Function: Argument and abuse the hijack

This will create a user named john with the password Password123!

We can wait for a restart on the machine or a restart of the process.

Our current users before the Restart

Machine rebooting

And after login in back we can see that john is now a user and added on to the Administrators Group