utiluniclient.dll

Part of the DLL iconHijack Libs project.

Type
Phantom DLL Hijacking (1 EXE)
By copying a malicious utiluniclient.dll to a specific location, a vulnerable application will execute the malicious DLL's code upon normal execution. See also MITRE ATT&CK® technique T1574.001: Hijack Execution Flow: DLL Search Order Hijacking.
Vendor
Trend Micro
Resources
CVE ®
CVE-2019-15628
Last updated
Unknown

Expected Locations

The file utiluniclient.dll is a phantom DLL, meaning it normally doesn't exist.

Vulnerable Executables

The following executable attempts to load utiluniclient.dll:

Detection

Below a sample Sigma rule that will find processes that loaded utiluniclient.dll located in a folder that is not one of the expected locations (see above). 
title: Possible DLL Hijacking of utiluniclient.dll
id: 8929171b-5805-48a3-6769-5b9ff8388944
status: experimental
description: Detects possible DLL hijacking of utiluniclient.dll by looking for suspicious image loads, loading this DLL from unexpected locations.
references:
    - https://hijacklibs.net/entries/3rd_party/trendmicro/utiluniclient.html
author: "Wietze Beukema"
date: 2021-02-28
tags:
    - attack.defense_evasion
    - attack.T1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded: '*\utiluniclient.dll'

    condition: selection 
falsepositives:
    - False positives are likely. This rule is more suitable for hunting than for generating detections.
title: Possible preparation for utiluniclient.dll DLL Hijacking
id: 8929172b-5805-48a3-6769-5b9ff8388944
status: experimental
description: Detects possible DLL hijacking of utiluniclient.dll by looking for suspicious file writes of this DLL, to unexpected locations.
references:
    - https://hijacklibs.net/entries/3rd_party/trendmicro/utiluniclient.html
author: "Wietze Beukema"
date: 2021-02-28
tags:
    - attack.defense_evasion
    - attack.T1574.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFileName: '*\utiluniclient.dll'

    condition: selection 
falsepositives:
    - False positives are likely. This rule is more suitable for hunting than for generating detections.
Image File
Download YAML
Note that this rule is also included in the Sigma feed that comprises all DLL Hijacking entries part of this project.

FAQs

Why should I care about this?
DLL Hijacking enables the execution of malicious code through a signed and/or trusted executable. Defensive measures such as AV and EDR solutions may not pick up on this activity out of the box, and allow-list applications such as AppLocker may not block the execution of the untrusted code. There are numerous examples of threat actors that have been observed to leaverage DLL Hijacking to achieve their objectives. As such, this project wants to encourage you to monitor for unusual activity involving utiluniclient.dll.

How do I abuse this vulnerability?
As a red teamer, you will have to compile your own version of utiluniclient.dll. There are various guides on how this can be achieved.

How could the vendor have prevented this vulnerability?
Phantom DLL Hijacking vulnerabilities are typically introduced due to human error: for example, a typo may cause an executable to attempt to load a non-existing DLL; similarly, the removal of a DLL without removing the reference in the depending application will result in the same. Better (code coverage) testing and unused dependency detection may aid in catching potential Phantom DLL vulnerabilities from being introduced.

This DLL Hijack doesn't seem to work (anymore), why is it still included?
Luckily, vendors regularly patch vulnerable applications in order to prevent DLL Hijacking from taking place. Nevertheless, older versions will remain vulnerable; for that reason, the entry won't be deleted from this project. To help others, you may want to open a pull request updating the 'precondition' tag on this entry to make the community aware of the reduced scope.

Homepage | API | Contributors