Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Windows 10 Detects Reflective DLL Loading: Microsoft

Windows 10 Creators Update can detect reflective Dynamic-Link Library (DLL) loading in a variety of high-risk processes, including browsers and productivity software, Microsoft says.

Windows 10 Creators Update can detect reflective Dynamic-Link Library (DLL) loading in a variety of high-risk processes, including browsers and productivity software, Microsoft says.

This is possible because of function calls (VirtualAlloc and VirtualProtect) related to procuring executable memory, which generate signals for Windows Defender Advanced Threat Protection (Windows Defender ATP).

Reflective DLL loading, the software giant explains, relies on loading a DLL into a process memory without using the Windows loader. First described in 2008, the method allows for the loading of a DLL into a process even if the DLL isn’t registered with the process.

The technique is employed by modern attacks to avoid detection, although the operation is not trivial, as it requires the use of a custom loader that can write the DLL into memory and then resolve its imports and/or its relocation.

What motivates attackers to use the method, Microsoft says, is that reflectively loading a DLL doesn’t require the DLL to reside on disk, and the library that is loaded may not be readily visible without forensic analysis, especially because it is not written to disk.

“A crucial aspect of reflectively loading a DLL is to have executable memory available for the DLL code. This can be accomplished by taking existing memory and changing its protection flags or by allocating new executable memory. Memory procured for DLL code is the primary signal we use to identify reflective DLL loading,” Christian Seifert, Windows Defender ATP Research, explains.

The detection model used in Windows 10 first learns about the normal allocations of a process, then it determines that a process associated with malicious activity allocates executable memory that deviates from the normal behavior. The model is meant to prove that memory events can be used as the primary signal for detecting reflective DLL loading, Seifert says.

The real model, however, also includes various other features, such as allocation size, allocation history, thread information, allocation flags, and the like. It also takes into consideration variations in application behavior, so its effectiveness is increased through additional behavioral signals, such as network connection behavior.

Advertisement. Scroll to continue reading.

In an attack scenario where the victim opens a malicious Word document from a file share and enables macro code to run, the Word process connects to the attacker-specified command and control (C&C) server to fetch the DLL to be reflectively loaded. Once the loading has been completed, it connects to the C&C and provides command line access to the victim machine.

Windows Defender ATP, Microsoft says, identifies the memory allocations as abnormal and alerts on the matter, providing context on the document and information on the C&C communication. Similarly, Microsoft Office 365 Advanced Threat Protection prevents such attacks through dynamic behavior matching.

Seifert also points out that Windows Defender ATP is a post-breach solution designed to alert on detected hostile activity. It can also provide detailed event timelines and other contextual information for attack analysis, the researcher says.

Related: Windows 10 Exploit Guard Boosts Endpoint Defenses


Related: Windows 10 Boosts Protections Against Code Injection Attacks

Related: Windows 10 Can Detect PowerShell Attacks: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.