January 1, 2024 at 09:18AM
Security researchers have uncovered a new DLL search order hijacking technique that allows threat actors to execute malicious code on Windows 10 and 11. By leveraging trusted WinSxS folder executables, adversaries can bypass security mechanisms and introduce potentially vulnerable binaries into the attack chain. Security Joes urges organizations to closely monitor and mitigate this exploitation method.
Based on the meeting notes, the key takeaways are as follows:
– A new variant of a DLL search order hijacking technique has been identified, which can potentially be exploited by threat actors to execute malicious code on systems running Windows 10 and Windows 11.
– The technique leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking method, allowing threat actors to bypass security mechanisms and execute malicious code without requiring elevated privileges.
– The attack involves moving legitimate system binaries into non-standard directories that include malicious DLLs named after legitimate ones, so that the library containing the attack code is picked up in place of the legitimate one.
– Security Joes has warned that there may be additional binaries in the WinSxS folder susceptible to this kind of DLL search order hijacking, and organizations are advised to take precautions to mitigate the exploitation method within their environments.
– Security Joes also recommended examining parent-child relationships between processes, with a specific focus on trusted binaries, and monitoring all activities performed by binaries residing in the WinSxS folder, focusing on both network communications and file operations.
Please let me know if you need further information or if there are additional details I can provide.