https://feed.craftedsignal.io/tags/dll-hijacking/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 28 Apr 2026 10:16:04 +0000https://feed.craftedsignal.io/briefs/2026-04-avacast-dll-hijacking/Tue, 28 Apr 2026 10:16:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-avacast-dll-hijacking/A DLL hijacking vulnerability in eMPIA Technology's AVACAST (CVE-2026-7279) allows authenticated local attackers to achieve arbitrary code execution with system privileges by placing a malicious DLL in a specific directory.CVE-2026-7279 describes a DLL hijacking vulnerability affecting AVACAST, a product developed by eMPIA Technology. The vulnerability allows an authenticated local attacker to execute arbitrary code with system-level privileges on a vulnerable system. This is achieved by placing a malicious DLL file in a directory where AVACAST expects to load a legitimate DLL. When AVACAST is executed, it inadvertently loads the malicious DLL, granting the attacker elevated privileges. The vulnerability poses a significant risk to systems where AVACAST is installed, as successful exploitation can lead to complete system compromise. This vulnerability was published on 2026-04-28.

Attack Chain

1. The attacker gains local access to the targeted system through legitimate credentials or exploits another vulnerability.
2. The attacker identifies a directory from which AVACAST loads DLL files.
3. The attacker crafts a malicious DLL file designed to execute arbitrary code.
4. The attacker places the malicious DLL file in the identified directory, potentially overwriting or replacing a legitimate DLL file.
5. The attacker executes the AVACAST application or waits for it to be automatically launched.
6. AVACAST attempts to load the (now malicious) DLL file from the directory.
7. The malicious DLL executes within the context of the AVACAST process, inheriting its system-level privileges.
8. The attacker achieves arbitrary code execution with system privileges, potentially leading to full system compromise.

Impact

Successful exploitation of CVE-2026-7279 allows a local attacker to execute arbitrary code with system-level privileges. This can result in complete system compromise, including data theft, installation of malware, and disruption of services. Given the high privileges gained, the attacker can perform any action on the system. The number of potential victims is unknown, but any system running a vulnerable version of AVACAST is at risk.

Recommendation

• Monitor process creation events for AVACAST loading DLLs from unusual or writable directories using the provided Sigma rule “Detect AVACAST DLL Hijacking”.
• Implement file integrity monitoring on AVACAST installation directories to detect unauthorized DLL modifications.
• Deploy the Sigma rule “Detect DLL Load from Suspicious Paths” to identify DLL loads from unusual paths, which can be indicative of DLL hijacking attempts.
• Apply appropriate access controls to prevent unauthorized users from writing to AVACAST installation directories.

]]>highadvisorydll-hijackingprivilege-escalationcode-executionhttps://feed.craftedsignal.io/briefs/2026-04-mobaxterm-cve-2026-6421/Fri, 17 Apr 2026 06:16:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-mobaxterm-cve-2026-6421/CVE-2026-6421 is an uncontrolled search path vulnerability in Mobatek MobaXterm Home Edition up to version 26.1, affecting msimg32.dll, that can be exploited locally with high complexity.Mobatek MobaXterm Home Edition up to version 26.1 is vulnerable to an uncontrolled search path issue (CVE-2026-6421) within the msimg32.dll library. This vulnerability allows a local attacker to manipulate the search path used by the application, potentially leading to arbitrary code execution. The complexity of exploitation is considered high, and it requires local access to the system. The vendor was responsive and released version 26.2 to address the vulnerability, urging users to upgrade. Public exploits are available, increasing the urgency for remediation. This vulnerability matters to defenders because successful exploitation could lead to privilege escalation or the execution of malicious code within the context of the MobaXterm application.

Attack Chain

1. The attacker gains local access to a system with a vulnerable version (<= 26.1) of MobaXterm Home Edition installed.
2. The attacker crafts a malicious DLL file (e.g., a replacement msimg32.dll or another DLL that msimg32.dll might load).
3. The attacker places the malicious DLL in a directory that MobaXterm searches before the legitimate system directories.
4. The attacker executes MobaXterm.
5. When MobaXterm loads msimg32.dll, it loads the malicious DLL from the attacker-controlled directory instead of the legitimate system directory due to the uncontrolled search path.
6. The malicious DLL executes arbitrary code within the context of the MobaXterm process.
7. The attacker leverages the executed code to perform malicious actions, such as installing malware or escalating privileges.
8. The attacker achieves persistence or further compromises the system.

Impact

Successful exploitation of CVE-2026-6421 allows a local attacker to execute arbitrary code within the context of the MobaXterm process. While the exploit requires local access and is considered to have high complexity, the availability of public exploits increases the risk. The impact of successful exploitation includes potential privilege escalation, malware installation, and further system compromise. Although specific victim counts and sectors targeted are unknown, any system running a vulnerable version of MobaXterm Home Edition is at risk.

Recommendation

• Upgrade Mobatek MobaXterm Home Edition to version 26.2 or later to patch CVE-2026-6421, as advised by the vendor.
• Implement application control policies to restrict the execution of unauthorized DLLs, mitigating the impact of uncontrolled search path vulnerabilities.
• Monitor process creation events for MobaXterm (process name: MobaXterm.exe) loading DLLs from unusual or user-writable directories using the provided Sigma rule.

]]>mediumadvisorycvevulnerabilitymobaxtermdll hijackinghttps://feed.craftedsignal.io/briefs/2026-04-memprocfs-dll-hijacking/Wed, 08 Apr 2026 22:16:23 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-memprocfs-dll-hijacking/MemProcFS before 5.17 is susceptible to DLL and shared-library hijacking due to unsafe library-loading patterns, allowing attackers to achieve arbitrary code execution by placing malicious libraries or manipulating the library search path.MemProcFS before version 5.17 is vulnerable to DLL and shared library hijacking due to unsafe library loading practices. Specifically, the application uses bare-name LoadLibraryU and dlopen calls without proper path qualification for vmmpyc, libMSCompression, and plugin DLLs. This vulnerability, identified as CVE-2026-40031, exists across six attack surfaces. The vulnerability was reported by VulnCheck. Exploitation can occur on both Windows and Linux systems where MemProcFS is installed.

Attack Chain

1. Attacker identifies a vulnerable MemProcFS installation (version < 5.17).
2. Attacker determines the libraries MemProcFS attempts to load without a fully qualified path, such as vmmpyc, libMSCompression, or plugin DLLs.
3. Attacker crafts a malicious DLL or shared library with the same name as one of the targeted libraries (e.g., vmmpyc.dll on Windows or libvmmpyc.so on Linux).
4. Attacker places the malicious library in the same working directory as MemProcFS or manipulates the LD_LIBRARY_PATH environment variable (on Linux) to point to a directory containing the malicious library.
5. The user executes MemProcFS.
6. MemProcFS attempts to load the legitimate library using LoadLibraryU or dlopen.
7. Due to the presence of the malicious library in the working directory or the manipulated LD_LIBRARY_PATH, the malicious library is loaded instead of the intended legitimate library.
8. The malicious library executes arbitrary code within the context of the MemProcFS process, granting the attacker control over the system.

Impact

Successful exploitation of CVE-2026-40031 allows an attacker to achieve arbitrary code execution. While the exact number of victims is unknown, any system running a vulnerable version of MemProcFS is at risk. Given the nature of MemProcFS, successful exploitation could lead to sensitive data exposure or complete system compromise.

Recommendation

• Upgrade MemProcFS to version 5.17 or later to address the vulnerability (References: https://github.com/ufrisk/MemProcFS/releases/tag/v5.17).
• Monitor process creations for MemProcFS loading unexpected DLLs or shared libraries from non-standard paths using the provided Sigma rules.
• Implement file integrity monitoring for MemProcFS installation directories to detect the presence of newly created DLLs or shared libraries with suspicious names.
• Educate users about the risks of running applications from untrusted sources and the importance of verifying the integrity of software before execution.

]]>highadvisorydll-hijackinglibrary-hijackingcode-executionmemprocfscve-2026-40031https://feed.craftedsignal.io/briefs/2026-04-untrusted-search-path/Wed, 01 Apr 2026 02:16:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-untrusted-search-path/An application installer vulnerable to CVE-2026-3780 runs with elevated privileges but resolves system executables and DLLs using an untrusted search path, enabling local privilege escalation by allowing a local attacker to inject malicious binaries.CVE-2026-3780 describes a local privilege escalation vulnerability affecting an application installer. The installer, when executed, operates with elevated privileges. However, it resolves the location of system executables and DLLs using an untrusted search path. This untrusted path includes directories writable by standard users. An attacker can exploit this by placing malicious binaries, named identically to legitimate system files, in these user-writable directories. When the installer attempts to load or execute these system files, the attacker’s malicious versions are used instead, due to the flawed search path resolution. This leads to arbitrary code execution with elevated privileges, thereby escalating the attacker’s privileges on the local system. This vulnerability was reported in Foxit products and poses a significant risk to systems where the vulnerable installer is executed.

Attack Chain

1. The attacker identifies a user-writable directory included in the application installer’s search path.
2. The attacker analyzes the application installer to determine which system executables or DLLs it attempts to load or execute.
3. The attacker creates malicious binaries that mimic the names of the targeted system files.
4. The attacker places the malicious binaries into the user-writable directory.
5. The attacker executes the vulnerable application installer, typically requiring some user interaction (e.g., clicking “Install”).
6. The installer, running with elevated privileges, attempts to load or execute the legitimate system files.
7. Due to the untrusted search path, the installer loads or executes the attacker’s malicious binaries instead of the legitimate ones.
8. The attacker’s code executes with elevated privileges, allowing the attacker to perform actions such as creating new accounts, installing software, or modifying system settings, thereby achieving local privilege escalation.

Impact

Successful exploitation of CVE-2026-3780 allows a local attacker to gain elevated privileges on the system. This means an attacker with limited access can perform administrative tasks, install malware, access sensitive data, and potentially compromise the entire system. The severity is high because it bypasses normal security controls and can lead to a full system compromise from a limited starting point. This poses a significant risk to any system running the affected application installer.

Recommendation

• Deploy the Sigma rule “Detect DLL Hijacking via Installer” to detect the creation of malicious DLLs in user-writable directories, referencing the rule details below.
• Enable file creation monitoring in user-writable directories (e.g., %TEMP%, %APPDATA%) to provide data for the Sigma rule and to detect suspicious file activity.
• Monitor process creation events for the execution of unexpected binaries within the context of the application installer, leveraging the rule “Detect Suspicious Process Execution by Installer” defined below.

]]>highadvisoryprivilege-escalationcve-2026-3780untrusted-search-pathdll-hijackinginstallerhttps://feed.craftedsignal.io/briefs/2024-07-sccm-dll-hijacking/Wed, 03 Jul 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-07-sccm-dll-hijacking/Adversaries may exploit Microsoft's System Center Configuration Manager by loading malicious DLLs into SCNotification.exe, a process associated with user notifications, potentially leading to Windows session hijacking.Attackers may attempt to hijack Windows user sessions by exploiting Microsoft’s System Center Configuration Manager (SCCM). This involves loading malicious DLLs into SCNotification.exe, a process responsible for user notifications within the SCCM framework. The vulnerability arises when SCNotification.exe loads untrusted DLLs, potentially impersonating a user session. This activity is often characterized by recent DLL file creation or modification, coupled with the DLL lacking a trusted code signature. The references indicate this technique has been discussed publicly, raising awareness and the potential for increased exploitation.

Attack Chain

1. Attacker gains initial access to the target system.
2. Attacker places a malicious DLL on the system. This DLL may be disguised to appear legitimate.
3. The attacker manipulates the system to cause SCNotification.exe to load the malicious DLL. This may involve modifying registry keys or file paths.
4. SCNotification.exe loads the attacker-controlled DLL.
5. The malicious DLL executes within the context of the SCNotification.exe process.
6. The attacker leverages the hijacked process to impersonate a user session.
7. Attacker gains unauthorized access to user accounts and data.
8. Attacker performs malicious actions under the guise of the compromised user, such as data exfiltration or privilege escalation.

Impact

A successful attack could lead to unauthorized access to sensitive data, privilege escalation, and further compromise of the network. Victims could experience data breaches, financial loss, or reputational damage. The impact depends on the extent of access gained by the attacker and the sensitivity of the data accessed.

Recommendation

• Deploy the Sigma rule “Potential Windows Session Hijacking via CcmExec” to your SIEM to detect suspicious DLL loads by SCNotification.exe.
• Investigate alerts triggered by the Sigma rule, focusing on DLLs with recent file creation times or modifications (DLL timestamps) and untrusted signatures.
• Implement application whitelisting to prevent unauthorized DLLs from being loaded by SCNotification.exe as described in the remediation steps in the note section.
• Monitor process creation events for SCNotification.exe and related processes.
• Enable Sysmon process creation logging to enhance visibility into process execution events, which activates the Sigma rules above.

]]>mediumadvisorydefense-evasiondll-hijackingsccmhttps://feed.craftedsignal.io/briefs/2024-01-amsi-dll-hijack/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-amsi-dll-hijack/An adversary may attempt to bypass AMSI by creating a rogue AMSI DLL in an unusual location to evade detection.The Antimalware Scan Interface (AMSI) is a Windows interface that allows applications and services to integrate with antimalware products. Attackers may attempt to bypass AMSI to execute malicious code without detection. This detection identifies the creation of the AMSI DLL (amsi.dll) in unusual locations, which is a common technique used to load a rogue AMSI module instead of the legitimate one. This technique can be used to evade detection by security products that rely on AMSI for scanning potentially malicious scripts and code. The rule is designed to work with data from Winlogbeat, Elastic Endpoint, Sysmon, Endgame, SentinelOne Cloud Funnel, Microsoft Defender XDR, and Crowdstrike.

Attack Chain

1. An attacker gains initial access to a Windows system through various means (e.g., phishing, exploit).
2. The attacker determines the location of the legitimate amsi.dll file.
3. The attacker identifies a writable directory where a malicious amsi.dll can be placed. This location must be in the search order of applications that use AMSI, such as PowerShell or other scripting hosts.
4. The attacker copies or creates a malicious amsi.dll in the identified location. This rogue DLL is designed to bypass or disable AMSI functionality.
5. A process like PowerShell or another scripting host is launched. Because the malicious amsi.dll is in a higher-priority directory, it is loaded instead of the legitimate AMSI library.
6. The launched process executes malicious code (e.g., PowerShell script).
7. Because the rogue amsi.dll is loaded, AMSI scans are bypassed, allowing the malicious code to execute without detection.

Impact

A successful AMSI bypass can allow attackers to execute malicious code, such as malware, scripts, or exploits, without detection by antimalware products. This can lead to system compromise, data theft, or other malicious activities. The impact can range from a single compromised endpoint to a wider breach of an organization’s network.

Recommendation

• Enable file creation monitoring with Sysmon or Elastic Defend to detect the creation of files, specifically DLLs, in unusual locations.
• Deploy the Sigma rule “Suspicious Antimalware Scan Interface DLL Creation” to your SIEM to detect the creation of amsi.dll in non-standard paths. Tune the rule for your environment.
• Investigate any alerts generated by the Sigma rule by examining the parent process, file path, and user context to determine if the activity is malicious.

]]>highadvisorydefense-evasionamsi-bypassdll-hijackingwindowshttps://feed.craftedsignal.io/briefs/2024-01-03-local-sxs-dll-execution/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-local-sxs-dll-execution/This rule detects the creation, modification, or deletion of DLL files within Windows SxS local folders, which could indicate an attempt to execute malicious payloads by abusing shared module loading.This detection identifies potential abuse of the Windows Side-by-Side (SxS) feature to execute malicious code. Attackers can place a malicious DLL file within an application’s local SxS folder (application.exe.local) and trick the Windows module loader into prioritizing it over legitimate system DLLs. This technique, known as DLL hijacking or DLL redirection, allows adversaries to gain arbitrary code execution within the context of the targeted application. This technique may be used to bypass security controls, escalate privileges, or establish persistence. The detection focuses on file events related to DLLs within these specific SxS folders.

Attack Chain

1. The attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
2. The attacker identifies a legitimate application with an associated SxS folder (application.exe.local).
3. The attacker creates or modifies a malicious DLL file.
4. The attacker places the malicious DLL file in the application’s SxS folder (application.exe.local).
5. A legitimate application attempts to load a DLL.
6. Due to the presence of the malicious DLL in the SxS folder, the Windows module loader prioritizes the attacker’s DLL.
7. The malicious DLL is loaded and executed by the application.
8. The attacker achieves code execution within the context of the application.

Impact

Successful exploitation can lead to arbitrary code execution within the targeted application’s context. This can result in privilege escalation, data theft, system compromise, or the establishment of persistence mechanisms. While the number of directly affected organizations is unknown, this technique can be used against a wide range of applications on Windows systems.

Recommendation

• Monitor file creation events for DLL files in C:\*\*.exe.local\*.dll and \\Device\\HarddiskVolume*\\*\\*.exe.local\\*.dll using the provided Sigma rule to detect potential malicious DLL planting.
• Enable Sysmon Event ID 11 (File Create) to improve visibility into file creation events, as noted in the setup instructions.
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the DLL creation event and the involved application.

]]>mediumadvisoryexecutiondefense-evasiondll-hijacking