dbghelp.dll
There are executables that allowdbghelp.dll to be DLL hijacked.Expected Locations
The filedbghelp.dll is normally found in the following paths:
%PROGRAMFILES%\windows kits\10\debuggers\arm%PROGRAMFILES%\windows kits\10\debuggers\arm\srcsrv%PROGRAMFILES%\windows kits\10\debuggers\arm64%PROGRAMFILES%\windows kits\10\debuggers\arm64\srcsrv%PROGRAMFILES%\windows kits\10\debuggers\x64%PROGRAMFILES%\windows kits\10\debuggers\x64\srcsrv%PROGRAMFILES%\windows kits\10\debuggers\x86%PROGRAMFILES%\windows kits\10\debuggers\x86\srcsrv%PROGRAMFILES%\cisco systems\cisco jabber%PROGRAMFILES%\microsoft office\root\office%VERSION%%PROGRAMFILES%\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140%SYSTEM32%%SYSWOW64%
Vulnerable Executables
DLL Sideloading (6 EXEs)
By copying (and optionally renaming) any of the following vulnerable applications to a user-writeable folder, alongside a malicious
dbghelp.dll, arbitrary code can be executed through it.
Environment Variable-based DLL Hijacking (11 EXEs)
By changing the
%WINDIR% environment variable to an attacker-controlled directory, it is possible to trick any of the following vulnerable applications into loading a malicious dbghelp.dll from the attacker-controled location.
%SYSTEM32%\bdehdcfg.exeby changing%WINDIR%%SYSTEM32%\deploymentcsphelper.exeby changing%WINDIR%%SYSTEM32%\djoin.exeby changing%WINDIR%%SYSTEM32%\dnscacheugc.exeby changing%WINDIR%%SYSTEM32%\ieunatt.exeby changing%WINDIR%%SYSTEM32%\muiunattend.exeby changing%WINDIR%%SYSTEM32%\netbtugc.exeby changing%WINDIR%%SYSTEM32%\netiougc.exeby changing%WINDIR%%SYSTEM32%\pnpunattend.exeby changing%WINDIR%%SYSTEM32%\reagentc.exeby changing%WINDIR%%SYSTEM32%\setupugc.exeby changing%WINDIR%
Detection
Below a sample Sigma rule that will find processes that loadeddbghelp.dll located in a folder that is not one of the expected locations (see above).
title: Possible DLL Hijacking of dbghelp.dll
id: 7256631b-9395-48a3-4833-5b9ff8211460
status: experimental
description: Detects possible DLL hijacking of dbghelp.dll by looking for suspicious image loads, loading this DLL from unexpected locations.
references:
- https://hijacklibs.net/entries/microsoft/built-in/dbghelp.html
author: "Wietze Beukema"
date: 2021-02-27
tags:
- attack.defense_evasion
- attack.T1574.001
- attack.T1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded: '*\dbghelp.dll'
filter:
ImageLoaded:
- 'c:\program files\windows kits\10\debuggers\arm\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\arm\\*'
- 'c:\program files\windows kits\10\debuggers\arm\srcsrv\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\arm\srcsrv\\*'
- 'c:\program files\windows kits\10\debuggers\arm64\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\arm64\\*'
- 'c:\program files\windows kits\10\debuggers\arm64\srcsrv\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\arm64\srcsrv\\*'
- 'c:\program files\windows kits\10\debuggers\x64\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\x64\\*'
- 'c:\program files\windows kits\10\debuggers\x64\srcsrv\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\x64\srcsrv\\*'
- 'c:\program files\windows kits\10\debuggers\x86\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\x86\\*'
- 'c:\program files\windows kits\10\debuggers\x86\srcsrv\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\x86\srcsrv\\*'
- 'c:\program files\cisco systems\cisco jabber\\*'
- 'c:\program files (x86)\cisco systems\cisco jabber\\*'
- 'c:\program files\microsoft office\root\office*\\*'
- 'c:\program files (x86)\microsoft office\root\office*\\*'
- 'c:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\\*'
- 'c:\program files (x86)\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\\*'
- 'c:\windows\system32\\*'
- 'c:\windows\syswow64\\*'
condition: selection and not filter
falsepositives:
- False positives are likely. This rule is more suitable for hunting than for generating detections.title: Possible preparation for dbghelp.dll DLL Hijacking
id: 7256632b-9395-48a3-4833-5b9ff8211460
status: experimental
description: Detects possible DLL hijacking of dbghelp.dll by looking for suspicious file writes of this DLL, to unexpected locations.
references:
- https://hijacklibs.net/entries/microsoft/built-in/dbghelp.html
author: "Wietze Beukema"
date: 2021-02-27
tags:
- attack.defense_evasion
- attack.T1574.001
- attack.T1574.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFileName: '*\dbghelp.dll'
filter:
TargetFileName:
- 'c:\program files\windows kits\10\debuggers\arm\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\arm\\*'
- 'c:\program files\windows kits\10\debuggers\arm\srcsrv\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\arm\srcsrv\\*'
- 'c:\program files\windows kits\10\debuggers\arm64\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\arm64\\*'
- 'c:\program files\windows kits\10\debuggers\arm64\srcsrv\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\arm64\srcsrv\\*'
- 'c:\program files\windows kits\10\debuggers\x64\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\x64\\*'
- 'c:\program files\windows kits\10\debuggers\x64\srcsrv\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\x64\srcsrv\\*'
- 'c:\program files\windows kits\10\debuggers\x86\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\x86\\*'
- 'c:\program files\windows kits\10\debuggers\x86\srcsrv\\*'
- 'c:\program files (x86)\windows kits\10\debuggers\x86\srcsrv\\*'
- 'c:\program files\cisco systems\cisco jabber\\*'
- 'c:\program files (x86)\cisco systems\cisco jabber\\*'
- 'c:\program files\microsoft office\root\office*\\*'
- 'c:\program files (x86)\microsoft office\root\office*\\*'
- 'c:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\\*'
- 'c:\program files (x86)\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\\*'
- 'c:\windows\system32\\*'
- 'c:\windows\syswow64\\*'
- 'c:\windows\winsxs\*'
- 'c:\$windows.~bt\*'
- 'c:\windows\softwaredistribution\*'
condition: selection and not filter
falsepositives:
- False positives are likely. This rule is more suitable for hunting than for generating detections.title: Possibly malicious versions of dbghelp.dll
id: 7256633b-9395-48a3-4833-5b9ff8211460
status: experimental
description: Detects possible DLL hijacking of dbghelp.dll by looking for versions not meeting the known signature data.
references:
- https://hijacklibs.net/entries/microsoft/built-in/dbghelp.html
author: "Wietze Beukema"
date: 2021-02-27
tags:
- attack.defense_evasion
- attack.T1574.001
- attack.T1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded: '*\dbghelp.dll'
filter:
ImageLoaded:
- Signed: 'true'
- SignatureStatus: 'signed'
- Signature|contains:
- 'CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
condition: selection and not filter
falsepositives:
- False positives are likely. This rule is more suitable for hunting than for generating detections.Note that this rule is also included in the Detection Content Feeds that comprise all DLL Hijacking entries part of HijackLibs.
FAQs
Why should I care about this?
DLL Hijacking enables the execution of malicious code through a signed and/or trusted executable. Defensive measures such as AV and EDR solutions may not pick up on this activity out of the box, and allow-list applications such as AppLocker may not block the execution of the untrusted code. There are numerous examples of threat actors that have been observed to leaverage DLL Hijacking to achieve their objectives. As such, this project wants to encourage you to monitor for unusual activity involvingdbghelp.dll.
How do I abuse this vulnerability?
As a red teamer, you will have to compile your own version ofdbghelp.dll. There are various guides on how this can be achieved.