{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dll-hijacking/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-7279"}],"_cs_exploited":false,"_cs_products":["AVACAST"],"_cs_severities":["high"],"_cs_tags":["dll-hijacking","privilege-escalation","code-execution"],"_cs_type":"advisory","_cs_vendors":["eMPIA Technology"],"content_html":"\u003cp\u003eCVE-2026-7279 describes a DLL hijacking vulnerability affecting AVACAST, a product developed by eMPIA Technology. The vulnerability allows an authenticated local attacker to execute arbitrary code with system-level privileges on a vulnerable system. This is achieved by placing a malicious DLL file in a directory where AVACAST expects to load a legitimate DLL. When AVACAST is executed, it inadvertently loads the malicious DLL, granting the attacker elevated privileges. The vulnerability poses a significant risk to systems where AVACAST is installed, as successful exploitation can lead to complete system compromise. This vulnerability was published on 2026-04-28.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local access to the targeted system through legitimate credentials or exploits another vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a directory from which AVACAST loads DLL files.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DLL file designed to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious DLL file in the identified directory, potentially overwriting or replacing a legitimate DLL file.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the AVACAST application or waits for it to be automatically launched.\u003c/li\u003e\n\u003cli\u003eAVACAST attempts to load the (now malicious) DLL file from the directory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes within the context of the AVACAST process, inheriting its system-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution with system privileges, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7279 allows a local attacker to execute arbitrary code with system-level privileges. This can result in complete system compromise, including data theft, installation of malware, and disruption of services. Given the high privileges gained, the attacker can perform any action on the system. The number of potential victims is unknown, but any system running a vulnerable version of AVACAST is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for AVACAST loading DLLs from unusual or writable directories using the provided Sigma rule \u0026ldquo;Detect AVACAST DLL Hijacking\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on AVACAST installation directories to detect unauthorized DLL modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect DLL Load from Suspicious Paths\u0026rdquo; to identify DLL loads from unusual paths, which can be indicative of DLL hijacking attempts.\u003c/li\u003e\n\u003cli\u003eApply appropriate access controls to prevent unauthorized users from writing to AVACAST installation directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T10:16:04Z","date_published":"2026-04-28T10:16:04Z","id":"/briefs/2026-04-avacast-dll-hijacking/","summary":"A DLL hijacking vulnerability in eMPIA Technology's AVACAST (CVE-2026-7279) allows authenticated local attackers to achieve arbitrary code execution with system privileges by placing a malicious DLL in a specific directory.","title":"AVACAST DLL Hijacking Vulnerability (CVE-2026-7279)","url":"https://feed.craftedsignal.io/briefs/2026-04-avacast-dll-hijacking/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-6421"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve","vulnerability","mobaxterm","dll hijacking"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMobatek MobaXterm Home Edition up to version 26.1 is vulnerable to an uncontrolled search path issue (CVE-2026-6421) within the msimg32.dll library. This vulnerability allows a local attacker to manipulate the search path used by the application, potentially leading to arbitrary code execution. The complexity of exploitation is considered high, and it requires local access to the system. The vendor was responsive and released version 26.2 to address the vulnerability, urging users to upgrade. Public exploits are available, increasing the urgency for remediation. This vulnerability matters to defenders because successful exploitation could lead to privilege escalation or the execution of malicious code within the context of the MobaXterm application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local access to a system with a vulnerable version (\u0026lt;= 26.1) of MobaXterm Home Edition installed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DLL file (e.g., a replacement msimg32.dll or another DLL that msimg32.dll might load).\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious DLL in a directory that MobaXterm searches before the legitimate system directories.\u003c/li\u003e\n\u003cli\u003eThe attacker executes MobaXterm.\u003c/li\u003e\n\u003cli\u003eWhen MobaXterm loads msimg32.dll, it loads the malicious DLL from the attacker-controlled directory instead of the legitimate system directory due to the uncontrolled search path.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the MobaXterm process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed code to perform malicious actions, such as installing malware or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence or further compromises the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6421 allows a local attacker to execute arbitrary code within the context of the MobaXterm process. While the exploit requires local access and is considered to have high complexity, the availability of public exploits increases the risk. The impact of successful exploitation includes potential privilege escalation, malware installation, and further system compromise. Although specific victim counts and sectors targeted are unknown, any system running a vulnerable version of MobaXterm Home Edition is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Mobatek MobaXterm Home Edition to version 26.2 or later to patch CVE-2026-6421, as advised by the vendor.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized DLLs, mitigating the impact of uncontrolled search path vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for MobaXterm (process name: MobaXterm.exe) loading DLLs from unusual or user-writable directories using the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T06:16:30Z","date_published":"2026-04-17T06:16:30Z","id":"/briefs/2026-04-mobaxterm-cve-2026-6421/","summary":"CVE-2026-6421 is an uncontrolled search path vulnerability in Mobatek MobaXterm Home Edition up to version 26.1, affecting msimg32.dll, that can be exploited locally with high complexity.","title":"Mobatek MobaXterm Home Edition Uncontrolled Search Path Vulnerability (CVE-2026-6421)","url":"https://feed.craftedsignal.io/briefs/2026-04-mobaxterm-cve-2026-6421/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-40031"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dll-hijacking","library-hijacking","code-execution","memprocfs","cve-2026-40031"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMemProcFS before version 5.17 is vulnerable to DLL and shared library hijacking due to unsafe library loading practices. Specifically, the application uses bare-name \u003ccode\u003eLoadLibraryU\u003c/code\u003e and \u003ccode\u003edlopen\u003c/code\u003e calls without proper path qualification for \u003ccode\u003evmmpyc\u003c/code\u003e, \u003ccode\u003elibMSCompression\u003c/code\u003e, and plugin DLLs. This vulnerability, identified as CVE-2026-40031, exists across six attack surfaces. The vulnerability was reported by VulnCheck. Exploitation can occur on both Windows and Linux systems where MemProcFS is installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable MemProcFS installation (version \u0026lt; 5.17).\u003c/li\u003e\n\u003cli\u003eAttacker determines the libraries MemProcFS attempts to load without a fully qualified path, such as \u003ccode\u003evmmpyc\u003c/code\u003e, \u003ccode\u003elibMSCompression\u003c/code\u003e, or plugin DLLs.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious DLL or shared library with the same name as one of the targeted libraries (e.g., \u003ccode\u003evmmpyc.dll\u003c/code\u003e on Windows or \u003ccode\u003elibvmmpyc.so\u003c/code\u003e on Linux).\u003c/li\u003e\n\u003cli\u003eAttacker places the malicious library in the same working directory as MemProcFS or manipulates the \u003ccode\u003eLD_LIBRARY_PATH\u003c/code\u003e environment variable (on Linux) to point to a directory containing the malicious library.\u003c/li\u003e\n\u003cli\u003eThe user executes MemProcFS.\u003c/li\u003e\n\u003cli\u003eMemProcFS attempts to load the legitimate library using \u003ccode\u003eLoadLibraryU\u003c/code\u003e or \u003ccode\u003edlopen\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the presence of the malicious library in the working directory or the manipulated \u003ccode\u003eLD_LIBRARY_PATH\u003c/code\u003e, the malicious library is loaded instead of the intended legitimate library.\u003c/li\u003e\n\u003cli\u003eThe malicious library executes arbitrary code within the context of the MemProcFS process, granting the attacker control over the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40031 allows an attacker to achieve arbitrary code execution. While the exact number of victims is unknown, any system running a vulnerable version of MemProcFS is at risk. Given the nature of MemProcFS, successful exploitation could lead to sensitive data exposure or complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade MemProcFS to version 5.17 or later to address the vulnerability (References: \u003ca href=\"https://github.com/ufrisk/MemProcFS/releases/tag/v5.17\"\u003ehttps://github.com/ufrisk/MemProcFS/releases/tag/v5.17\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creations for MemProcFS loading unexpected DLLs or shared libraries from non-standard paths using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring for MemProcFS installation directories to detect the presence of newly created DLLs or shared libraries with suspicious names.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of running applications from untrusted sources and the importance of verifying the integrity of software before execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T22:16:23Z","date_published":"2026-04-08T22:16:23Z","id":"/briefs/2026-04-memprocfs-dll-hijacking/","summary":"MemProcFS before 5.17 is susceptible to DLL and shared-library hijacking due to unsafe library-loading patterns, allowing attackers to achieve arbitrary code execution by placing malicious libraries or manipulating the library search path.","title":"MemProcFS DLL and Shared Library Hijacking Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-memprocfs-dll-hijacking/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-3780"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","cve-2026-3780","untrusted-search-path","dll-hijacking","installer"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3780 describes a local privilege escalation vulnerability affecting an application installer. The installer, when executed, operates with elevated privileges. However, it resolves the location of system executables and DLLs using an untrusted search path. This untrusted path includes directories writable by standard users. An attacker can exploit this by placing malicious binaries, named identically to legitimate system files, in these user-writable directories. When the installer attempts to load or execute these system files, the attacker\u0026rsquo;s malicious versions are used instead, due to the flawed search path resolution. This leads to arbitrary code execution with elevated privileges, thereby escalating the attacker\u0026rsquo;s privileges on the local system. This vulnerability was reported in Foxit products and poses a significant risk to systems where the vulnerable installer is executed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a user-writable directory included in the application installer\u0026rsquo;s search path.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the application installer to determine which system executables or DLLs it attempts to load or execute.\u003c/li\u003e\n\u003cli\u003eThe attacker creates malicious binaries that mimic the names of the targeted system files.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious binaries into the user-writable directory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the vulnerable application installer, typically requiring some user interaction (e.g., clicking \u0026ldquo;Install\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe installer, running with elevated privileges, attempts to load or execute the legitimate system files.\u003c/li\u003e\n\u003cli\u003eDue to the untrusted search path, the installer loads or executes the attacker\u0026rsquo;s malicious binaries instead of the legitimate ones.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with elevated privileges, allowing the attacker to perform actions such as creating new accounts, installing software, or modifying system settings, thereby achieving local privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3780 allows a local attacker to gain elevated privileges on the system. This means an attacker with limited access can perform administrative tasks, install malware, access sensitive data, and potentially compromise the entire system. The severity is high because it bypasses normal security controls and can lead to a full system compromise from a limited starting point. This poses a significant risk to any system running the affected application installer.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect DLL Hijacking via Installer\u0026rdquo; to detect the creation of malicious DLLs in user-writable directories, referencing the rule details below.\u003c/li\u003e\n\u003cli\u003eEnable file creation monitoring in user-writable directories (e.g., %TEMP%, %APPDATA%) to provide data for the Sigma rule and to detect suspicious file activity.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of unexpected binaries within the context of the application installer, leveraging the rule \u0026ldquo;Detect Suspicious Process Execution by Installer\u0026rdquo; defined below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T02:16:03Z","date_published":"2026-04-01T02:16:03Z","id":"/briefs/2026-04-untrusted-search-path/","summary":"An application installer vulnerable to CVE-2026-3780 runs with elevated privileges but resolves system executables and DLLs using an untrusted search path, enabling local privilege escalation by allowing a local attacker to inject malicious binaries.","title":"CVE-2026-3780: Local Privilege Escalation via Untrusted Search Path in Application Installer","url":"https://feed.craftedsignal.io/briefs/2026-04-untrusted-search-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["System Center Configuration Manager"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","dll-hijacking","sccm"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to hijack Windows user sessions by exploiting Microsoft\u0026rsquo;s System Center Configuration Manager (SCCM). This involves loading malicious DLLs into \u003ccode\u003eSCNotification.exe\u003c/code\u003e, a process responsible for user notifications within the SCCM framework. The vulnerability arises when \u003ccode\u003eSCNotification.exe\u003c/code\u003e loads untrusted DLLs, potentially impersonating a user session. This activity is often characterized by recent DLL file creation or modification, coupled with the DLL lacking a trusted code signature. The references indicate this technique has been discussed publicly, raising awareness and the potential for increased exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system.\u003c/li\u003e\n\u003cli\u003eAttacker places a malicious DLL on the system. This DLL may be disguised to appear legitimate.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the system to cause \u003ccode\u003eSCNotification.exe\u003c/code\u003e to load the malicious DLL. This may involve modifying registry keys or file paths.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSCNotification.exe\u003c/code\u003e loads the attacker-controlled DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes within the context of the \u003ccode\u003eSCNotification.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the hijacked process to impersonate a user session.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to user accounts and data.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious actions under the guise of the compromised user, such as data exfiltration or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access to sensitive data, privilege escalation, and further compromise of the network. Victims could experience data breaches, financial loss, or reputational damage. The impact depends on the extent of access gained by the attacker and the sensitivity of the data accessed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Windows Session Hijacking via CcmExec\u0026rdquo; to your SIEM to detect suspicious DLL loads by \u003ccode\u003eSCNotification.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule, focusing on DLLs with recent file creation times or modifications (DLL timestamps) and untrusted signatures.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized DLLs from being loaded by \u003ccode\u003eSCNotification.exe\u003c/code\u003e as described in the remediation steps in the note section.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eSCNotification.exe\u003c/code\u003e and related processes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to enhance visibility into process execution events, which activates the Sigma rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-sccm-dll-hijacking/","summary":"Adversaries may exploit Microsoft's System Center Configuration Manager by loading malicious DLLs into SCNotification.exe, a process associated with user notifications, potentially leading to Windows session hijacking.","title":"Potential Windows Session Hijacking via CcmExec","url":"https://feed.craftedsignal.io/briefs/2024-07-sccm-dll-hijacking/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR","Elastic Endgame","Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","amsi-bypass","dll-hijacking","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","CrowdStrike","Elastic"],"content_html":"\u003cp\u003eThe Antimalware Scan Interface (AMSI) is a Windows interface that allows applications and services to integrate with antimalware products. Attackers may attempt to bypass AMSI to execute malicious code without detection. This detection identifies the creation of the AMSI DLL (\u003ccode\u003eamsi.dll\u003c/code\u003e) in unusual locations, which is a common technique used to load a rogue AMSI module instead of the legitimate one. This technique can be used to evade detection by security products that rely on AMSI for scanning potentially malicious scripts and code. The rule is designed to work with data from Winlogbeat, Elastic Endpoint, Sysmon, Endgame, SentinelOne Cloud Funnel, Microsoft Defender XDR, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker determines the location of the legitimate \u003ccode\u003eamsi.dll\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a writable directory where a malicious \u003ccode\u003eamsi.dll\u003c/code\u003e can be placed. This location must be in the search order of applications that use AMSI, such as PowerShell or other scripting hosts.\u003c/li\u003e\n\u003cli\u003eThe attacker copies or creates a malicious \u003ccode\u003eamsi.dll\u003c/code\u003e in the identified location. This rogue DLL is designed to bypass or disable AMSI functionality.\u003c/li\u003e\n\u003cli\u003eA process like PowerShell or another scripting host is launched. Because the malicious \u003ccode\u003eamsi.dll\u003c/code\u003e is in a higher-priority directory, it is loaded instead of the legitimate AMSI library.\u003c/li\u003e\n\u003cli\u003eThe launched process executes malicious code (e.g., PowerShell script).\u003c/li\u003e\n\u003cli\u003eBecause the rogue \u003ccode\u003eamsi.dll\u003c/code\u003e is loaded, AMSI scans are bypassed, allowing the malicious code to execute without detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful AMSI bypass can allow attackers to execute malicious code, such as malware, scripts, or exploits, without detection by antimalware products. This can lead to system compromise, data theft, or other malicious activities. The impact can range from a single compromised endpoint to a wider breach of an organization\u0026rsquo;s network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable file creation monitoring with Sysmon or Elastic Defend to detect the creation of files, specifically DLLs, in unusual locations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Antimalware Scan Interface DLL Creation\u0026rdquo; to your SIEM to detect the creation of \u003ccode\u003eamsi.dll\u003c/code\u003e in non-standard paths. Tune the rule for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent process, file path, and user context to determine if the activity is malicious.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-amsi-dll-hijack/","summary":"An adversary may attempt to bypass AMSI by creating a rogue AMSI DLL in an unusual location to evade detection.","title":"Suspicious Antimalware Scan Interface DLL Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-amsi-dll-hijack/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","CrowdStrike FDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","dll-hijacking"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential abuse of the Windows Side-by-Side (SxS) feature to execute malicious code. Attackers can place a malicious DLL file within an application\u0026rsquo;s local SxS folder (application.exe.local) and trick the Windows module loader into prioritizing it over legitimate system DLLs. This technique, known as DLL hijacking or DLL redirection, allows adversaries to gain arbitrary code execution within the context of the targeted application. This technique may be used to bypass security controls, escalate privileges, or establish persistence. The detection focuses on file events related to DLLs within these specific SxS folders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a legitimate application with an associated SxS folder (application.exe.local).\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a malicious DLL file.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious DLL file in the application\u0026rsquo;s SxS folder (application.exe.local).\u003c/li\u003e\n\u003cli\u003eA legitimate application attempts to load a DLL.\u003c/li\u003e\n\u003cli\u003eDue to the presence of the malicious DLL in the SxS folder, the Windows module loader prioritizes the attacker\u0026rsquo;s DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL is loaded and executed by the application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution within the context of the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution within the targeted application\u0026rsquo;s context. This can result in privilege escalation, data theft, system compromise, or the establishment of persistence mechanisms. While the number of directly affected organizations is unknown, this technique can be used against a wide range of applications on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor file creation events for DLL files in \u003ccode\u003eC:\\*\\*.exe.local\\*.dll\u003c/code\u003e and \u003ccode\u003e\\\\Device\\\\HarddiskVolume*\\\\*\\\\*.exe.local\\\\*.dll\u003c/code\u003e using the provided Sigma rule to detect potential malicious DLL planting.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) to improve visibility into file creation events, as noted in the \u003ca href=\"https://ela.st/sysmon-event-11-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the DLL creation event and the involved application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-local-sxs-dll-execution/","summary":"This rule detects the creation, modification, or deletion of DLL files within Windows SxS local folders, which could indicate an attempt to execute malicious payloads by abusing shared module loading.","title":"Execution via Local SxS Shared Module","url":"https://feed.craftedsignal.io/briefs/2024-01-03-local-sxs-dll-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Dll-Hijacking","version":"https://jsonfeed.org/version/1.1"}