Tag Archive for: FRIDA
Ransomware, Security by Design and How to Analyze in Windows With Frida
Getting and staying ahead of threat actors means knowing the cybersecurity landscape. Today, that still often means ransomware and changing the ways and places we work. July’s top stories include a supply chain attack from the REvil ransomware gang and how to fold security into design.
We also have a deep dive into password safety, including common myths from social media. Attackers may not be looking at your tweets. However, elements of social engineering do open up passwords for exploitation in some similar ways.
This month’s expert insights also involve the state of today’s operational technology (OT) attacks, finding DLL sideloading attacks with the prototype Frida tool Windows Feature Hunter and a new way to execute .NET assemblies. Check out our top advice and news from July.
Quick Briefs: Top Insights From July
2-Minute Read 🕒
3 Myths About Threat Actors and Password Safety
Most of us have a little bit of anxiety about social media sharing. Who doesn’t cringe in sympathy (or schadenfreude) at the story of a senator who posted a picture of his password by mistake? As social media involves, keep up to date and refresh yourself on some of the basics around preventing password theft. Plus, see some common myths around password theft aren’t really worth worrying about.
3-Minute Read 🕒
What Is Domain-Driven Design?
Security review on software design can take months by itself. But what about security-driven design, where the idea that your product might be attacked (or present a weak link) is built in from the beginning? See how domain-driven design can combine security and the business domain that makes your product a worthwhile purchase. It’s the best of both worlds.
4-Minute Read 🕒
Your Home Away From Home May Not Be as Cybersecure as You Think
We’ve all heard the warnings about keeping your cybersecurity rigorous while working from home. With luck, people are starting to settle in to their workplace again in 2021, whether that’s at the office or remote. You might even be starting to think about going on vacation, when it’s safe to do. So don’t forget digital safety on the road, too. A chief technology…
Hunting for Windows “Features” with Frida: DLL Sideloading
Offensive security professionals have been using Frida for analyzing iOS and Android mobile applications. However, there has been minimal usage of Frida for desktop operating systems such as Windows. Frida is described by the author as a “Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.” From a security research and adversarial simulation perspective, Frida can be used to identify MITRE ATT&CK technique T1574.002 also known as dynamic-link library (DLL) sideloading. Frida is not limited to identifying DLL sideloading. It can also identify MITRE ATT&CK technique T1546.015 also known as Component Object Model (COM) hijacking. This blog post will review DLL sideloading, and how attackers and offensive security professionals can identify potential DLL sideloading opportunities using X-Force Red’s proof-of-concept Frida tool Windows Feature Hunter (WFH).
What Is DLL Sideloading?
MITRE ATT&CK describes DLL sideloading in T1574.002 as follows:
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
MITRE ATT&CK goes on to say that “side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other.”
Microsoft also wrote a blog post where they define what is considered a vulnerability, saying that CWD scenarios would be addressed with a security fix, while PATH directory scenarios would not, “since there can’t be a non-admin directory in the PATH, [it] can’t be exploited.”
Windows DLL Search Order
Microsoft details DLL search order in this post. The post describes DLL search order, as shown in the excerpt below:
A system can contain multiple versions of the same dynamic-link library (DLL). Applications can control the location…
How-to Guide: Defeating an Android Packer with FRIDA
|