New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

In a startling revelation, cybersecurity firm Security Joes has uncovered a sophisticated variant of the DLL search order hijacking technique that poses a significant threat to systems running Microsoft Windows 10 and Windows 11. This novel approach exploits executables in the trusted WinSxS folder, allowing threat actors to bypass security mechanisms and execute malicious code without requiring elevated privileges.

The findings, exclusively shared with The Hacker News, shed light on a method that diverges from traditional DLL search order hijacking techniques. Typically, attackers manipulate how Windows applications load external libraries and executables, but Security Joes' discovery introduces a more subtle and stealthy exploitation method.

The WinSxS folder, short for Windows side-by-side, is a critical component used for customizing and updating the operating system to ensure compatibility and integrity. The new approach targets files within this trusted folder, combining them with DLL search order hijacking methods to achieve code execution.

Ido Naor, co-founder and CEO of Security Joes, stated, "Our discovery diverges from this path, unveiling a more subtle and stealthy method of exploitation." The security researchers identified vulnerable binaries in the WinSxS folder, such as ngentask.exe and aspnet_wp.exe, and strategically placed a custom DLL with the same name as legitimate DLLs into an actor-controlled directory.

The key advantage of this variant lies in the ability to trigger code execution by simply executing a vulnerable file in the WinSxS folder, without the need to copy the executable from WinSxS to another directory. This method eliminates the necessity for elevated privileges, allowing threat actors to introduce potentially vulnerable binaries into the attack chain.

Security Joes issued a warning, urging organizations to take adequate precautions to mitigate the exploitation method within their environments. The company recommended examining parent-child relationships between processes, with a specific focus on trusted binaries. Additionally, organizations are advised to closely monitor all activities performed by binaries in the WinSxS folder, paying attention to both network communications and file operations.