[German]I'm once again posting information here in the blog that I stumbled across recently. Anyone who is concerned about Windows security should keep an eye on the command line tool licensingdiag.exe. It is another "living of the land" tool that can be used for side-loading DLL attacks. This is because there is an entry in the registry that specifies which DLL is to be loaded from which path.
Advertising
Dynamic-Link-Library (DLL) side-loading is a method of cyber-attack that takes advantage of the way Microsoft Windows applications handle DLL files. In such attacks, malware places a fake malicious DLL file in a Windows WinSxS directory so that the operating system loads it instead of the legitimate file. Mandiant addresses this issue in this PDF document, for example.
Grzegorz Tworek published the following tweet on X the other day. There he points out that the command line tool licensingdiag.exe contained in Windows offers an opportunity for attacks. Because the tool is included in Windows, it is also referred to as a "living of the land" attack.
In the Windows registry, there is a registry entry for the integrated application licensingdiag.exe:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LicensingDiag
Advertising
where the REG_SZ value contains the path to the executing DLL (here LicensingDiagSpp.dll). If an attacker manages to manipulate the registry entry (HKLM requires administrator rights), Pandora's box is opened.
An attacker could then store a path to their own DLL, which is then executed when the console application licensingdiag.exe is called. If the attacker changes the value in REG_EXPAND_SZ, several DLLs could be loaded when the application is called. The only protection is that the manipulation requires administrator rights. However, it would be another way for attackers to hide behind legitimate Windows applications and reload and execute malicious DLLs via side-loading.
Advertising
