Skip to content

Latest commit

 

History

History
61 lines (37 loc) · 2.62 KB

T1574.002.md

File metadata and controls

61 lines (37 loc) · 2.62 KB

T1574.002 - DLL Side-Loading

Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.

Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: About Side by Side Assemblies) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable by replacing the legitimate DLL with a malicious one. (Citation: FireEye DLL Side-Loading)

Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.

Atomic Tests


Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary

GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. Upon execution, calc.exe will be opened.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
process_name Name of the created process string calculator.exe
gup_executable GUP is an open source signed binary used by Notepad++ for software updates path PathToAtomicsFolder\T1574.002\bin\GUP.exe

Attack Commands: Run with command_prompt!

#{gup_executable}

Cleanup Commands:

taskkill /F /IM #{process_name} >nul 2>&1

Dependencies: Run with powershell!

Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
Check Prereq Commands:
if (Test-Path #{gup_executable}) {exit 0} else {exit 1} 
Get Prereq Commands:
New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe" -OutFile "#{gup_executable}"