DLL Search Order Hijacking

A 10‑minute hardening + detection plan (Windows)

Attackers still love DLL Search Order Hijacking because it turns trusted apps into loaders for their code. Windows resolves DLLs by checking a sequence of locations; if a malicious DLL appears earlier than the real one, it gets loaded.

Minimum‑viable hardening (fast)

1. Keep Safe DLL search mode on

   • Enabled by default; it moves the current directory later in the search order. Avoid tools that disable it (e.g., careless SetDllDirectory).

2. Remove the current working directory (CWD) from DLL search (policy)

• Set CWDIllegalInDllSearch to 2 to block loads when the CWD is a network path (WebDAV/SMB) with low break risk.

• Where compatible, set it to 0xFFFFFFFF to remove CWD entirely (strongest posture; test first).

PowerShell (elevated)

$k = 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager'
New-ItemProperty -Path $k -Name CWDIllegalInDllSearch -PropertyType DWord -Value 2 -Force | Out-Null
# For maximum hardening (test first): set -Value 0xFFFFFFFF

1. Application allow‑listing on sensitive hosts

   • Use Windows Defender Application Control / App Control for Business to restrict code to trusted publishers/paths—shutting down most hijack paths outright.

   • Compatibility tip: if a line‑of‑business app breaks after tightening search behavior, remediate the app (load by fully‑qualified path) rather than weakening the platform.

Detections that actually work

Provenient’s Sideload Watchman (in development).

Otherwise:

Enable targeted telemetry and look for “trusted app + untrusted DLL from user‑writable path.”

Sysmon

Turn on Event ID 7 (ImageLoaded) for a curated set of processes (browsers, Office, PDF readers, IT tools) and filter to user‑writable directories (profile, Temp, Downloads). Avoid blanket EID7 due to volume.

Microsoft Defender / Sentinel (KQL)

DeviceImageLoadEvents
| where InitiatingProcessFileName !in~ ("smss.exe","csrss.exe","wininit.exe","lsass.exe")
| where FolderPath has_any ("\\Users\\","\\AppData\\Local\\Temp\\","\\Downloads\\")
| where SignedStatus !in~ ("Signed","SignedValid")
| summarize dcount(SHA256) by InitiatingProcessFileName, InitiatingProcessVersionInfoCompany, FolderPath
| order by dcount_SHA256 desc

Hunting logic (portable):

• Signed, high‑reputation process loads a non‑Microsoft‑signed DLL from a user‑writable path.

• Repeated DLL names loaded across hosts from profile/Temp.

• New module loads shortly after opening untrusted content.

Checklist

• Confirm SafeDllSearchMode is not disabled.

• Deploy CWDIllegalInDllSearch=2 (baseline); pilot 0xFFFFFFFF where feasible.

• Enforce allow‑listing (WDAC/App Control) on admin and high‑risk workstations.

• Enable Sysmon EID7 for targeted apps and alert on user‑writable DLL loads.

Why this matters: This closes entire classes of “plant a DLL next to something users will run” attacks while giving you actionable telemetry if someone tries anyway. Map to ATT&CK T1574.001 (DLL Search Order Hijacking).

References

• Microsoft Learn — Dynamic‑link library search order (Safe DLL search mode): https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order

• Microsoft Learn — Dynamic‑Link Library Security (SafeDllSearchMode guidance): https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security

• MSRC Blog — An update on the DLL‑preloading remote attack vector (CWDIllegalInDllSearch values, trade‑offs): https://msrc.microsoft.com/blog/2010/08/an-update-on-the-dll-preloading-remote-attack-vector/

• Sysinternals — Sysmon (Event ID 7: Image loaded): https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

• Microsoft Learn — Application Control for Business (WDAC): https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/appcontrol

• MITRE ATT&CK — T1574.001 DLL Search Order Hijacking: https://attack.mitre.org/techniques/T1574/001/