{"id":34890,"date":"2024-09-01T00:01:54","date_gmt":"2024-08-31T22:01:54","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=34890"},"modified":"2024-08-30T13:49:00","modified_gmt":"2024-08-30T11:49:00","slug":"windows-side-loading-dll-attacks-via-licensingdiag-exe","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/09\/01\/windows-side-loading-dll-attacks-via-licensingdiag-exe\/","title":{"rendered":"Windows: Side-Loading DLL attacks via licensingdiag.exe"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2024\/09\/01\/windows-side-loading-dll-angriffe-ber-licensingdiag-exe\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]I'm once again posting information here in the blog that I stumbled across recently. Anyone who is concerned about Windows security should keep an eye on the command line tool licensingdiag.exe. It is another \"living of the land\" tool that can be used for side-loading DLL attacks. This is because there is an entry in the registry that specifies which DLL is to be loaded from which path.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg07.met.vgwort.de\/na\/4fa49a4a4c5e43e0b6cca601fdf82094\" alt=\"\" width=\"1\" height=\"1\" \/>Dynamic-Link-Library (DLL) side-loading is a method of cyber-attack that takes advantage of the way Microsoft Windows applications handle DLL files. In such attacks, malware places a fake malicious DLL file in a Windows WinSxS directory so that the operating system loads it instead of the legitimate file. Mandiant addresses this issue in <a href=\"https:\/\/www.mandiant.com\/sites\/default\/files\/2021-09\/rpt-dll-sideloading.pdf\" target=\"_blank\" rel=\"noopener\">this PDF document<\/a>, for example.<\/p>\n<p>Grzegorz Tworek published the following tweet on X the other day. There he points out that the command line tool licensingdiag.exe contained in Windows offers an opportunity for attacks. Because the tool is included in Windows, it is also referred to as a \"living of the land\" attack.<\/p>\n<p><a href=\"https:\/\/x.com\/0gtweet\/status\/1827991604918890968\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"DLL sideloading with licensingdiag.exe\" src=\"https:\/\/i.postimg.cc\/TY0zbHgq\/image.png\" alt=\"DLL sideloading with licensingdiag.exe\" \/><\/a><\/p>\n<p>In the Windows registry, there is a registry entry for the integrated application <em>licensingdiag.exe<\/em>:<\/p>\n<p>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LicensingDiag<\/p>\n<p>where the REG_SZ value contains the path to the executing DLL (here <em>LicensingDiagSpp.dll<\/em>). If an attacker manages to manipulate the registry entry (HKLM requires administrator rights), Pandora's box is opened.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i.postimg.cc\/vZhQvFS0\/image.png\" width=\"657\" height=\"271\" \/><\/p>\n<p>An attacker could then store a path to their own DLL, which is then executed when the console application licensingdiag.exe is called. If the attacker changes the value in REG_EXPAND_SZ, several DLLs could be loaded when the application is called. The only protection is that the manipulation requires administrator rights. However, it would be another way for attackers to hide behind legitimate Windows applications and reload and execute malicious DLLs via side-loading.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]I'm once again posting information here in the blog that I stumbled across recently. Anyone who is concerned about Windows security should keep an eye on the command line tool licensingdiag.exe. It is another \"living of the land\" tool that &hellip; <a href=\"https:\/\/borncity.com\/win\/2024\/09\/01\/windows-side-loading-dll-attacks-via-licensingdiag-exe\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,194],"class_list":["post-34890","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/34890","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=34890"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/34890\/revisions"}],"predecessor-version":[{"id":34891,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/34890\/revisions\/34891"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=34890"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=34890"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=34890"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}