Cobalt Strike Hunting — DLL Hijacking/Attack Analysis

Michael Koczwara
6 min readAug 17, 2021

DLL Hijacking via Cobalt Strike & Attack Analysis.

Agenda

  • Hijack Execution Flow: DLL Search Order Hijacking.
  • Payload extraction from the PCAP (VT, Triage, and CyberChef Analysis).
  • Attack Analysis.
  • DLL Hijacking via Cobalt Strike/Sysrep.

Hijack Execution Flow

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defences, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by:

  • Manipulating how the operating system locates programs to be executed.
  • How the operating system locates libraries to be used by a program can also be intercepted.
  • Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

https://attack.mitre.org/techniques/T1574/

Hijack Execution Flow: DLL Search Order Hijacking

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

https://attack.mitre.org/techniques/T1574/001/

Payload extraction from the PCAP

We can extract malware from PCAP (Export Objects & HTTP) and perform Analysis in VT, Triage, and CyberChef.

H7mp is a payload.

--

--