Security Joes outlined a proof-of-concept to perform dynamic link library (DLL) hijacking targeting the Windows Side By Side (WinSxS) folder. The latter is critical in Windows maintenance and recovery as it retains system information when the operating system undergoes updates. The folder is typically located at the path C:\Windows\WinSxS, which is a trusted location.
The exploit fundamentally leverages a typical DLL search order hijacking technique. Yet, targeting WinSxS enables to circumvent high privilege requirements, and removes the necessity to elevate privileges to execute malicious code within Windows applications. By leveraging this folder, the need for additional, potentially detectable binaries in the attack chain is eliminated, as Windows already indexes these files in WinSxS.
This strategy enhances stealth, executing malicious code within the memory space of an application running from WinSxS, minimizing the risk of detection and reducing the likelihood of security tools flagging this method as it utilizes trusted components present in the Windows environment.