Profiling System32 Binaries to Detect DLL Search Order Hijacking
Creating an extensive library of System32 binary metadata to help threat hunters recognize malicious DLL behavior, masquerading, and DLL Search Order Hijacking.
Originally published on Red Canary Blog
Co-authored with Shane Welcher
Read the full article: Profiling System32 Binaries
The Problem
DLL Search Order Hijacking (T1574.001) involves adversaries moving legitimate system binaries into unusual directories along with malicious DLLs, gaming the natural DLL search order. Adversaries frequently switch up the binaries they’re abusing, creating a cat-and-mouse game.
Our Solution
Instead of playing whack-a-mole with individual binaries, we created an extensive library of System32 binary metadata. We baselined all binaries within System32 and Syswow64 to create bulk coverage.
The Approach
- Baseline System32 - Used PowerShell to enumerate all binaries and their metadata
- Build Detection Library - Created a process metadata store with expected behaviors
- Automated Testing - Moved every System32 binary to validate detection logic
- Production Deployment - Implemented detection for 483 binaries
Results
Since implementing this bulk detection coverage, we identified adversaries abusing 114 unique binaries to perform DLL Search Order Hijacking or other malicious activity.
Detection Logic
We monitor for relocated instances of system binaries. When a binary executes from an unexpected path, we validate:
- Expected process names
- Internal names
- File descriptions
- Publishers
- Process paths
Impact
This detection approach catches:
- DLL Search Order Hijacking
- Binary masquerading
- AppDomainManager injection
- Adversaries dropping system binaries for exploitation
Read the full technical details: Profiling System32 Binaries
Related Modules
AppLockerGen
AppLocker Policy Generator. Create and manage AppLocker policies programmatically.
ASRGEN
ASR Configurator, Essentials and Atomic Testing. Configure and test Attack Surface Reduction rules.