Connect with us

Hi, what are you looking for?



New DLL Search Order Hijacking Technique Targets WinSxS Folder

Attackers can abuse a new DLL search order hijacking technique to execute code in applications within the WinSxS folder.

A new DLL search order hijacking technique allows adversaries to load and execute malicious code in applications within Windows’ WinSxS folder, incident response company Security Joes reports.

Typically, DLL search order hijacking abuses applications that do not specify the full path of a required library or file, but rely on a predefined search order to locate it.

Attackers place a malicious DLL in a folder prioritized in the search order, typically in the application’s working directory, so that it is loaded before the legitimate library the application needs. In some instances, the attackers also drop a legitimate but vulnerable application to abuse for DLL loading.

“Manipulating this loading process allows threat actors to inject and execute unauthorized code within the memory space of a trusted process, effectively deceiving security tools and analysts,” Security Joes explains.

According to the cybersecurity firm, attackers can deliberately target files located in the WinSxS folder to make their attacks stealthier while eliminating the need for dropping additional binaries or obtaining high privileges to execute code within applications located in a Windows folder.

The WinSxS (Windows Side by Side) folder stores various versions of important system files, including DLLs, ensuring application compatibility and system integrity, and facilitating the activation or deactivation of Windows features without additional installations.

“In practical terms, during the installation of Windows components, updates, or software applications, files are systematically stored in the WinSxS directory. This directory acts as a centralized repository for system files, particularly DLLs,” Security Joes explains.

As part of its research, the cybersecurity firm first identified a vulnerable binary within the WinSxS folder, then abused Windows’ behavior when searching for system files to ensure that a crafted DLL placed in a custom folder on the desktop is loaded by the binary using DLL search order hijacking.

Advertisement. Scroll to continue reading.

“In addition to the custom DLL, we have also developed an executable with the sole purpose of executing all other binaries located in the WinSxS folder and monitoring their operations. This executable is designed to identify vulnerable files residing in the WinSxS folder,” the cybersecurity firm says.

Some of the binaries in the WinSxS folder, the company discovered, were searching for DLLs in the custom desktop folder, suggesting that they would load the crafted library if it was to be renamed to match the expected DLL file the executables were searching for.

According to Security Joes, an attacker could launch a command from a shell that uses the custom folder as the working directory, without having to move the vulnerable binary outside the WinSxS folder.

“This action will lead the targeted binary to execute our DLL since it will only locate it inside our directory. This highlights the power of our implementation, which only requires a command line and a DLL to be injected,” Security Joes notes.

By relying on vulnerable executables located in WinSxS, this technique improves and simplifies the infection chain relying on DLL search order hijacking, as it eliminates the need for dropping a vulnerable application. Furthermore, the technique can be used to target Windows 10 and 11 systems, the cybersecurity firm points out. 

Related: North Korean Hackers Exploiting Recent TeamCity Vulnerability

Related: Russia-Linked APT29 Uses New Malware in Embassy Attacks

Related: Trend Micro Patches Vulnerability Exploited by Chinese Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.