They thus are a persistent attack vector the core architecture would have to change to address the issue. Microsoft binaries rely on DLLs for proper functionality. According to Microsoft, the reason for using shared libraries (DLLs) is to promote code reuse, modularization and faster loading of libraries shared by multiple applications. Much of the functionalities of the Windows operating system comes from dynamic linked libraries. In order to understand this attack vector, it was necessary to go back to Windows internals. What is a DLL and why do we want to monitor them? In this article, we will review the technical background and the Hunting Process that lead us to find the vulnerability and improve our detection. The finding made us aware of the risks of having third-party application installed on our end points and that blindly whitelisting unsigned DLLs was a bad idea. We decided to write a proof of concept exploit to demonstrate how an adversary could leverage this flaw on the affected end points and to help us build automated detection for future occurrence of this type of behavior. We identified a few end points that had versions of Notepad++ that were vulnerable. Our investigations lead us to discover that several older versions of Notepad++ were vulnerable to an attack called DLL Hijacking ( T1038). Some of us had heard of malicious plugins (DLL), so we decided to search the web for documented cases of exploitation. In the case of Notepad++, we made some research to see if it could be exploited as we had not built any alert specifically targeting the exploitation of well-known third-party software. As part of our Hunting Process we make hypotheses regarding various possible vectors of attack in our network. Notepad++ being a common tool to edit files on end points, we pondered whether to whitelist its DLLs but decided not to whitelist applications unless we are 100% certain there is no risk. We quickly identified that Notepad++ was loading unsigned DLLs. As part of our Hunting Activities, we decided to Hunt for DLL Side Loading ( T1073).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |