T1038 DLL Search Order Hijacking Persistence - CraigDonkin/Infrastructure GitHub Wiki

T1038 : DLL Search Order Hijacking Persistence

  • Requires User/Admin or SYSTEM perms
  • If the DLL doesn't exist or is loaded without a fully qulified path
    • Replace the dll with malicious one
  • File Perms important
    • Can you write to the location?
  • If the DLL doesn't exist can you write to anywhere on the search order that will load the DLL

DLL Search Order

https://docs.microsoft.com/en-us/windows/desktop/Dlls/dynamic-link-library-search-order

SafeDLLSearchMode is Enabled (Default)

  1. The directory from which the app is loaded
  2. The system directory
  3. The 16-bit system directory
  4. The windows directory
  5. The current directory
  6. Directories listed in the PATH environment Variable

Disable SafeDLLSearchMode

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode > 0

SafeDLLSearchMode is Enabled

  1. Directory the app is loaded
  2. The current directory
  3. The system directory
  4. The 16-bit system directory
  5. The windows directory
  6. Directories in PATH

Technique

  • Identify processes with missing DLLs
    • Proc Mon
    • Find-ProcessDLLHijack (PowerSploit)
  • Check the folder permissions of the location of the DLL
    • Can you write to here?
      • icacls
      • Find-PathDLLHijack (PowerSploit)
    • Write the DLL
      • DLL will need to be name of the one that is expected
      • Write-HijackDLL (Powersploit)

Useful Resources

https://www.gracefulsecurity.com/privesc-dll-hijacking/ BGINFO example

https://www.fuzzysecurity.com/tutorials/16.html IKEEXT Example

⚠️ **GitHub.com Fallback** ⚠️