Presented at
DEF CON 30 (2022),
Aug. 14, 2022, 11 a.m.
(45 minutes).
DLL Hijacking, being a well-known technique for executing malicious
payloads via trusted executables, has been scrutinised extensively, to
the point where defensive measures are in a much better position to
detect abuse. To bypass detection, stealthier and harder-to-detect
alternatives need to come into play.
In this presentation, we will take a closer look at how process-level
Environment Variables can be abused for taking over legitimate
applications. Taking a systemic approach, we will demonstrate that over
80 Windows-native executables are vulnerable to this special type of
DLL Hijacking. As this raises additional opportunities for User Account
Control (UAC) bypass and Privilege Escalation, we will discuss the
value and further implications of this technique and these findings.
Presenters:
-
Wietze Beukema
- Threat Detection & Response at CrowdStrike
Wietze has been hacking around with computers for years. Originally from the Netherlands, he currently works in Threat Detection & Response at CrowdStrike in London. As a threat hunting enthusiast and security researcher, he has presented his findings on topics including attacker emulation, command-line obfuscation and DLL Hijacking at a variety of security conferences. By sharing his research, publishing related tools and his involvement in the open source LOLBAS project, he aims to give back to the community he learnt so much from.
Links:
Similar Presentations: