Local SxS Shared Module DLL Hijacking
Adversaries may abuse shared modules in local Side-by-Side (SxS) folders to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths, potentially bypassing security controls.
Attackers can exploit the Windows Side-by-Side (SxS) feature, specifically the application.exe.local folder, to load malicious DLLs. This technique involves placing a malicious DLL within the SxS folder, tricking a legitimate application into loading it instead of the intended DLL. This circumvents standard module loading order. The initial Elastic detection rule was created in 2020/10/28, and updated 2026/04/07. Defenders should be aware of this technique as it can be used to achieve code execution and potentially bypass application whitelisting or other security measures. This technique affects Windows systems and the impact is significant due to the potential for arbitrary code execution.
Attack Chain
- The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
- The attacker identifies a legitimate application vulnerable to DLL hijacking via the SxS folder (application.exe.local).
- The attacker creates a malicious DLL file, mimicking the name of a legitimate DLL that the target application attempts to load.
- The attacker places the malicious DLL into the application's SxS folder (application.exe.local).
- The target application is executed.
- The Windows module loader searches for the required DLL within the application's SxS folder first.
- The module loader loads the malicious DLL instead of the legitimate one.
- The malicious DLL executes its payload, granting the attacker code execution within the context of the legitimate application, potentially leading to further compromise or lateral movement.
Impact
A successful DLL hijacking attack can lead to arbitrary code execution within the context of a legitimate application. This can allow attackers to bypass security controls, escalate privileges, install malware, or steal sensitive data. While the exact number of victims is unknown, DLL hijacking remains a prevalent technique, and this specific variation targeting local SxS shared modules increases the risk. Successful exploitation allows for defense evasion and persistence within the compromised environment.
Recommendation
- Monitor file creation events for DLL files within application.exe.local directories using the Sigma rule provided to detect potential malicious DLLs being placed in those folders.
- Implement application whitelisting to restrict which applications can execute on a system, mitigating the risk of unauthorized DLL loading.
- Enable Sysmon file creation and process creation logging to improve visibility into file system activity related to DLL loading.
- Regularly audit and validate the integrity of DLLs within application directories.
- Deploy the provided Sigma rules to detect malicious DLL creation or modifications in SxS folders.
Detection coverage 2
Detect DLL Creation in Local SxS Folder
mediumDetects the creation of DLL files in a local application SxS folder (application.exe.local), which could indicate DLL hijacking.
Detect DLL Modification in Local SxS Folder
mediumDetects modification of DLL files in a local application SxS folder (application.exe.local), which could indicate DLL hijacking.
Detection queries are available on the platform. Get full rules →