Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Windows 10 Detects Reflective DLL Loading: Microsoft

Windows 10 Creators Update can detect reflective Dynamic-Link Library (DLL) loading in a variety of high-risk processes, including browsers and productivity software, Microsoft says.

Windows 10 Creators Update can detect reflective Dynamic-Link Library (DLL) loading in a variety of high-risk processes, including browsers and productivity software, Microsoft says.

This is possible because of function calls (VirtualAlloc and VirtualProtect) related to procuring executable memory, which generate signals for Windows Defender Advanced Threat Protection (Windows Defender ATP).

Reflective DLL loading, the software giant explains, relies on loading a DLL into a process memory without using the Windows loader. First described in 2008, the method allows for the loading of a DLL into a process even if the DLL isn’t registered with the process.

The technique is employed by modern attacks to avoid detection, although the operation is not trivial, as it requires the use of a custom loader that can write the DLL into memory and then resolve its imports and/or its relocation.

What motivates attackers to use the method, Microsoft says, is that reflectively loading a DLL doesn’t require the DLL to reside on disk, and the library that is loaded may not be readily visible without forensic analysis, especially because it is not written to disk.

“A crucial aspect of reflectively loading a DLL is to have executable memory available for the DLL code. This can be accomplished by taking existing memory and changing its protection flags or by allocating new executable memory. Memory procured for DLL code is the primary signal we use to identify reflective DLL loading,” Christian Seifert, Windows Defender ATP Research, explains.

The detection model used in Windows 10 first learns about the normal allocations of a process, then it determines that a process associated with malicious activity allocates executable memory that deviates from the normal behavior. The model is meant to prove that memory events can be used as the primary signal for detecting reflective DLL loading, Seifert says.

The real model, however, also includes various other features, such as allocation size, allocation history, thread information, allocation flags, and the like. It also takes into consideration variations in application behavior, so its effectiveness is increased through additional behavioral signals, such as network connection behavior.

In an attack scenario where the victim opens a malicious Word document from a file share and enables macro code to run, the Word process connects to the attacker-specified command and control (C&C) server to fetch the DLL to be reflectively loaded. Once the loading has been completed, it connects to the C&C and provides command line access to the victim machine.

Windows Defender ATP, Microsoft says, identifies the memory allocations as abnormal and alerts on the matter, providing context on the document and information on the C&C communication. Similarly, Microsoft Office 365 Advanced Threat Protection prevents such attacks through dynamic behavior matching.

Seifert also points out that Windows Defender ATP is a post-breach solution designed to alert on detected hostile activity. It can also provide detailed event timelines and other contextual information for attack analysis, the researcher says.

Related: Windows 10 Exploit Guard Boosts Endpoint Defenses

Related: Windows 10 Boosts Protections Against Code Injection Attacks

Related: Windows 10 Can Detect PowerShell Attacks: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...