DLL Hijacking, being a well-known technique for executing malicious payloads via trusted executables, has been scrutinised extensively, to the point where defensive measures are in a much better position to detect abuse. To bypass detection, stealthier and harder-to-detect alternatives have come into play.
In this presentation, we will take a closer look at how process-level Environment Variables can be abused for taking over legitimate applications.
Taking a systemic approach, we will demonstrate that over 80 Windows-native executables are vulnerable to this special type of DLL Hijacking. As this raises additional opportunities for User Account Control (UAC) bypass and Privilege Escalation, we will discuss the value and further implications of this technique and these findings. We will also look at preventative and defensive measures, especially for this type of DLL Hijacking, but also for DLL Hijacking more broadly.
This session will be held by Wietze Beukema. Wietze (https://www.twitter.com/wietze) has been hacking around with computers for years. Originally from the Netherlands, he currently works at CrowdStrike in London.
As a threat hunting enthusiast and security researcher, he has presented his findings on topics including attacker emulation, command-line obfuscation and DLL Hijacking at a variety of security conferences. By sharing his research, publishing related tools and his involvement in open-source initiatives such as the LOLBAS project, he aims to give back to the community he learnt so much from.
This is the session you want miss if you want to learn more how to secure your applications!