Expected LocationsThe file
mstracer.dllis a phantom DLL, meaning it normally doesn't exist.
Vulnerable ExecutablesThe following executables attempt to load
DetectionBelow a sample Sigma rule that will find processes that loaded
mstracer.dlllocated in a folder that is not one of the expected locations (see above).
Why should I care about this?
DLL Hijacking enables the execution of malicious code through a signed and/or trusted executable. Defensive measures such as AV and EDR solutions may not pick up on this activity out of the box, and allow-list applications such as AppLocker may not block the execution of the untrusted code. There are numerous examples of threat actors that have been observed to leaverage DLL Hijacking to achieve their objectives. As such, this project wants to encourage you to monitor for unusual activity involving
How do I abuse this vulnerability?
As a red teamer, you will have to compile your own version of
mstracer.dll. There are various guides on how this can be achieved.
How could the vendor have prevented this vulnerability?
Phantom DLL Hijacking vulnerabilities are typically introduced due to human error: for example, a typo may cause an executable to attempt to load a non-existing DLL; similarly, the removal of a DLL without removing the reference in the depending application will result in the same. Better (code coverage) testing and unused dependency detection may aid in catching potential Phantom DLL vulnerabilities from being introduced.
This DLL Hijack doesn't seem to work (anymore), why is it still included?
Luckily, vendors regularly patch vulnerable applications in order to prevent DLL Hijacking from taking place. Nevertheless, older versions will remain vulnerable; for that reason, the entry won't be deleted from this project. To help others, you may want to open a pull request updating the 'precondition' tag on this entry to make the community aware of the reduced scope.