DLL Hijacking, being a well-known technique for executing malicious payloads via trusted executables, has been scrutinised extensively, to the point where defensive measures are in a much better position to detect abuse. To bypass detection, stealthier and harder-to-detect alternatives have come into play.
In this presentation, we will take a closer look at how process-level Environment Variables can be abused for taking over legitimate applications.
Taking a systemic approach, we will demonstrate that over 80 Windows-native executables are vulnerable to this special type of DLL Hijacking. As this raises additional opportunities for User Account Control (UAC) bypass and Privilege Escalation, we will discuss the value and further implications of this technique and these findings. We will also look at preventative and defensive measures, especially for this type of DLL Hijacking, but also for DLL Hijacking more broadly.
We will look at the success and practical use of HijackLibs.net, an open-source platform I launched on the back of this research.