TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

DLL Hijacking – A New Spin on Proxying your Shellcode

BHIS · 2024-10-14 · Read original ↗

ATT&CK techniques detected

34 predictions
T1055.001Dynamic-link Library Injection
99%
“then proxy system dll ’ s the ones that are found in windows c, windows system 32. using this technique we don ’ t need to have any type of precursor elevation, we don ’ t need to even have additional privileges. we can do this as a low privilege user and by actually writing that…”
T1574.001DLL
99%
“this one, while it ’ s still prevalent, it ’ s harder to achieve is the order hijacking. i kind of mentioned that before with the dll sideloading, but there are some times where they will look for a valid dll in random places. and if you can find out the order and one of those pl…”
T1055.001Dynamic-link Library Injection
98%
“postponed as far as possible until way after the initialization, process. this is just to ensure that no additional actions are superseding. the processes need to kind of load everything and get every environmental variable set up and make sure support across dll ’ s is there. an…”
T1574.001DLL
98%
“code when it ’ s trying to call a valid dll. as i mentioned before, persistence. but these types of attacks are used for more than just persistence. for the past few years there ’ s been great techniques where you could do some type of dll hijacking to actually gain an elevated c…”
T1055.001Dynamic-link Library Injection
98%
“checks, and then it just waits for something to happen in a process. when it ’ s loading, we ’ ll say, hey, load this dll first. okay, now that dll is working, everything ’ s good. go to the next one. just got a message back that dll is working. everything ’ s fine, loaded. good.…”
T1055.001Dynamic-link Library Injection
98%
“? what is this talk all about? well, i like to call this dll proxying attacks. and what really we ’ re doing is we ’ re taking advantage of one of two things. we ’ re going to talk about the first one, which is folder permissions. even though i mentioned, that the operating syste…”
T1574.001DLL
98%
“about. something new or maybe something that ’ s maybe obscure. and one of the conversations we all had as a group was persistence, making something that we can have something last over a long period of time. if you tuned in for the pre show banter we mentioned that, in these typ…”
T1574.001DLL
97%
“drop our dll into the system folder to achieve this. in fact this case it was running on the desktop. so this is all great. and i ’ ve been talking a lot about dll ’ s, but how do you actually get this, how did we actually deploy this in a real engagement? michael, would you like…”
T1055.001Dynamic-link Library Injection
97%
“exe all of a sudden says hey, i need this function. let ’ s say it ’ s going back, let ’ s say it ’ s virtual allocate. well, our dll is going to get that request and it ’ s going to say wait a second, this function is not one of my malicious ones, it ’ s a valid one. i ’ m going…”
T1574.001DLL
96%
“kind of give a prelude that, as we kind of start talking, there ’ s going to be a lot of terms that we are going to be saying that sound very familiar and it might be confusing, but unfortunately with dll and dll hijacking, side loading, all those sort of, terminologies, while th…”
T1574.001DLL
95%
“says, hey, wait a second, i ’ m used to doing these types of attacks. these are the most common ones. there are at least, four others. but i really wanted to focus in for the level set of knowledge on these. so the first one is sideloading and that ’ s really when you drop a dll …”
T1055.001Dynamic-link Library Injection
93%
“is using process monitor. it ’ s a free tool that microsoft offers, and what it can do is it monitors every single event in your operating system. that could be from load image, events to even queries to say hey, who touched a file? but it gives you a lot. it ’ s like drinking fr…”
T1055.001Dynamic-link Library Injection
93%
“memory, that ’ s how you can create a file, save a file, change permissions of a memory section. so when, let ’ s say we ’ ll use an example, excel. when excel loads, it ’ s going to load nt dll into the process. it ’ s going to set it all up, allocate, space in its own process f…”
T1055.001Dynamic-link Library Injection
92%
“##calation to get to those contexts. but in reality microsoft did this, as i mentioned before, as a way to protect against dll based attacks. if everyone can access the folder, everyone can ’ t try to attack or manipulate some kind of part, ensuring that nothing in there is manip…”
T1566.002Spearphishing Link
89%
“exploit that before microsoft potentially patched it, although i don ’ t think that they ever did. but at any rate, we sent it over email and sending it over email is not personally my favorite. a lot of people on the team, we don ’ t really like to fish over email if we don ’ t …”
T1055.001Dynamic-link Library Injection
88%
“##rant or unwanted. it ’ s a very common function. it is used for a lot of different basic operation structure. if you ever go and just search and like on microsoft documents or github, show me a sample dll, you ’ ll see the first example will always have a dll main. and inside t…”
T1204.002Malicious File
88%
“execute this. so we created a message where we wanted the message to look like it was coming from an automated ticketing system from within the organization that was telling users there is a critical microsoft outlook update that they ’ re going to need to install. and so you see…”
T1566.002Spearphishing Link
87%
“like twilio, i think, or sendgrid, any kind of service like that, who ’ s, whose business it is to get them to land an inbox. and then there are other techniques that are out there available to be they sending from a domain that already exists and has an established reputation, l…”
T1055.001Dynamic-link Library Injection
85%
“with the same name. you are correct. so what we do is we actually rename the original one. it can be something like totally legitimate, that old or something. by doing this, what we can then do is map the exact functions from our malicious dll ’ s and point them at the original o…”
T1055.001Dynamic-link Library Injection
79%
“re still providing those functions and stuff. because core dll ’ s like nt dll, they ’ re not accessible. the process will crash and we don ’ t want a process to crash, especially from a covert stealth operation. that kind of gives us a way we don ’ t then achieve our goal of est…”
T1055.001Dynamic-link Library Injection
73%
“what the att and ck module does. the recon module allows you to start scanning and creating those definition files yourself. so say for instance, you find your own and you want to weaponize it like i ’ ve just described. you can use the recon to scan that dll, it will create that…”
T1055.001Dynamic-link Library Injection
70%
“like what are windows apps? because that was my question. when we look at it, they ’ re actually in a separate folder than traditional files. you can see right here the new version of teams. it ’ s in c program, windows apps, anything from the new outlook which if you ’ re wonder…”
T1574.001DLL
68%
“##di to bootstrap and turn that dll into shellcode for you. and then what it will do is it will spit out the registry key values you need to apply and all of a sudden that ’ s all you need. in this example i actually took vanilla unmodified, cobalt strike dll ’ s the ones you get…”
T1137.005Outlook Rules
59%
“was common across multiple different clients as we were targeting a large group of clients. so that meant, not just 20 users but maybe 30 users across 20 different clients. so you have to kind of, what is the commonality we looked at? well, everyone uses outlook and teams, so foc…”
T1055.001Dynamic-link Library Injection
56%
“dll hijacking – a new spin on proxying your shellcode dll hijacking – a new spin on proxying your shellcode this webcast was originally published on october 4, 2024. in this video, experts delve into the intricacies of dll hijacking and new techniques for malicious code proxying,…”
T1055.001Dynamic-link Library Injection
55%
“##di to bootstrap and turn that dll into shellcode for you. and then what it will do is it will spit out the registry key values you need to apply and all of a sudden that ’ s all you need. in this example i actually took vanilla unmodified, cobalt strike dll ’ s the ones you get…”
T1574.001DLL
55%
“talk can be talking about dll hijacking and some of the research i did to kind of come up with new techniques. i like to call it spin on proxying your shellcode through. we ’ re actually going to be talking about the methodology that i kind of used to discover these vectors, how …”
T1055.001Dynamic-link Library Injection
51%
“through i believe 13 different test cases i ’ ve mapped out, which is pretty significant when you think about the fact that these are native windows deal processes being arbitrarily load and that we can hijack them. so how do you automate this? how do you do all this? well, if yo…”
T1574.001DLL
47%
“memory, that ’ s how you can create a file, save a file, change permissions of a memory section. so when, let ’ s say we ’ ll use an example, excel. when excel loads, it ’ s going to load nt dll into the process. it ’ s going to set it all up, allocate, space in its own process f…”
T1055.001Dynamic-link Library Injection
46%
“talk can be talking about dll hijacking and some of the research i did to kind of come up with new techniques. i like to call it spin on proxying your shellcode through. we ’ re actually going to be talking about the methodology that i kind of used to discover these vectors, how …”
T1137.005Outlook Rules
44%
“the next time outlook runs. so instantly we get a pop up message because it was just loaded. and if we actually go and look at the folder, we can see first we see our outlook and then outlook legitimate and then we see in the next part where that arrow is. that ’ s all the dll ’ …”
T1137Office Application Startup
37%
“, but also the creation and manipulation of dynamic objects. those objects can be something like hey, i need the email sending capability of outlook. so it would actually not load the entire outlook, but it would just load that capability or component or in excel word hey, i just…”
T1204.002Malicious File
33%
“needed to do to be successful. you can see that right here in the actual folder we can see low privilege user has read, execute, modify, full control over files in here. that ’ s the key thing we need for this type of attack to be successful. going back as you saw before, all we …”
T1137.005Outlook Rules
32%
“it is, that normal operation, as things progress, the events get calculated and logged. so by just looking for load image events that are not in these two places, we can start to look to see what processes are loading dll ’ s from other places. now this is the example that starte…”

Summary

This webcast was originally published on October 4, 2024. In this video, experts delve into the intricacies of DLL hijacking and new techniques for malicious code proxying, featuring a comprehensive […]

The post DLL Hijacking – A New Spin on Proxying your Shellcode appeared first on Black Hills Information Security, Inc..