Why do adversaries use DLL Search Order Hijacking?
DLL Search Order Hijacking offers adversaries a reliable and often discreet method for persisting, elevating their privileges, and evading defensive controls. Rather than overtly installing a malicious binary, the adversary can introduce a malicious DLL masquerading under a legitimate filename into the same subdirectory as a given legitimate process.
When that process needs to conduct a specific action, it searches for the DLL with the legitimate name, first looking in the folder in which it lives. Finding the malicious DLL in the same folder, it will load that library, thus giving the attacker code execution from within the legitimate host process. Most often, we observe a legitimate executable known to be vulnerable to hijacking dropped by the adversary along with the malicious DLL.
DLL Search Order Hijacking is elusive, and it’s something we’ve historically struggled to detect—both specifically here at Red Canary and more generally as an industry. However, as its rise in prevalence suggests, we made a lot of progress expanding our detection coverage for the threat in 2019.