New DLL Search Order Hijacking Variant Exploits in Windows 10 and 11

Recent findings by security researchers have unearthed an innovative variant of DLL search order hijacking, posing a serious threat to systems running Windows 10 and Windows 11. This technique utilizes files within the esteemed WinSxS folder, circumventing security measures and potentially allowing malicious code execution on compromised systems.

The method that capitalizes on executables commonly found in the WinSxS folder, leveraging the classic DLL search order hijacking technique. By manipulating this approach, threat actors sidestep the necessity for elevated privileges while introducing vulnerable binaries into the attack chain.

DLL search order hijacking operates by manipulating the order in which DLLs are loaded, exploiting applications that rely on a predefined search sequence to locate required DLLs on the system. Attackers manipulate this behavior by relocating legitimate system binaries to unconventional directories housing malicious DLLs masquerading under legitimate names. As a consequence, the malicious library gets loaded in place of the authentic one, as the process calling the DLL prioritizes the directory from which it executes.

The security researcher approach targets files within the trusted WinSxS folder, a critical component ensuring Windows compatibility and integrity. Exploiting vulnerable binaries in this folder, in combination with the standard DLL search order hijacking, involves placing a custom DLL with the same name as the legitimate one in an actor-controlled directory. This tactical maneuver enables the execution of malicious code merely by executing a vulnerable file from the WinSxS folder, eliminating the need to copy the executable to the rogue DLL’s location.

This discovery underscores the need for organizations to remain vigilant. The researcher urges close monitoring of activities involving binaries in the WinSxS folder, emphasizing scrutiny of both network communications and file operations. Understanding parent-child process relationships and fortifying precautions against this variant is imperative to safeguarding systems from exploitation.

To counter the threat posed by the new variant of DLL search order hijacking, organizations can implement strategic measures to fortify their Windows systems. Strengthening defenses involves stringent monitoring of activities related to the WinSxS folder’s binaries, focusing on network communications and file operations within this critical Windows component.