"Detecting and Defending Against DLL Sideloading Attacks"

Dynamic-Link Library (DLL) sideloading, also known as DLL hijacking, often gets overlooked. However, because of their widespread nature and ease of exploit development, these flaws are valuable for digital adversaries. Many Windows services are currently vulnerable to these attacks. The FBI, the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber Command Cyber National Mission Force, the National Security Agency (NSA), and the UK's National Cyber Security Center detected a DLL file renamed as a legitimate filename to enable the DLL sideloading technique in a detailed analysis of 23 files identified as MuddyWater tools. In a DLL sideloading attack, the threat actor places a malicious DLL file in the same directory as a trusted EXE. If the EXE tries to load a DLL with the same name, the attacker's DLL is loaded instead. In many cases, an attacker does not need to know which methods the EXE plans to call in the DLL because it is possible to create a DLL that runs code immediately as it is loaded. This is by design, putting any user account at risk of compromise. It is worth noting that this is a particularly serious issue with Windows services because service configurations allow attackers to quickly force the issue by simply adding a malicious DLL and then restarting the service, possibly with a simple reboot. The required level of sophistication is low, and a single DLL sideloading exploit kit can be used against almost any software with unsafe permissions in the installation folder. This article continues to discuss DLL sideloading attacks and how to stay ahead of them. 

Security Boulevard reports "Detecting and Defending Against DLL Sideloading Attacks"