Windows DLLs: Attacks in a Nutshell

Let’s continue our series on Uncovering Attacks by discussing Windows DLLs and a few types of attack vectors relevant to them

What are DLLs?

DLL Search Order

Introducing ‘DLL Hijacking’

AppInit DLLs

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DLL Forwarding

Mitigation of Attacks

Execution Prevention

Restrict Library Loading

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode

Disable LoadAppInit_DLLs

Conclusion

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.