Wietze Beukema - Save The Environment (Variable): Hijacking Legitimate Applications with a Minimal Footprint

Wietze Beukema, Threat Detection & Response at CrowdStrike, He/Him

Presentation Title: Save The Environment (Variable): Hijacking Legitimate Applications with
a Minimal Footprint
Length of presentation: 45 minutes
Demo, Tool

DLL Hijacking, being a well-known technique for executing malicious payloads via trusted executables, has been scrutinised extensively, to the point where defensive measures are in a much better position to detect abuse. To bypass detection, stealthier and harder-to-detect alternatives need to come into play.

In this presentation, we will take a closer look at how process-level Environment Variables can be abused for taking over legitimate applications. Taking a systemic approach, we will demonstrate that over 80 Windows-native executables are vulnerable to this special type of DLL Hijacking. As this raises additional opportunities for User Account Control (UAC) bypass and Privilege Escalation, we will discuss the value and further implications of this technique and these findings.

Wietze has been hacking around with computers for years. Originally from the Netherlands, he currently works in Threat Detection & Response at CrowdStrike in London. As a threat hunting enthusiast and security researcher, he has presented his findings on topics including attacker emulation, command-line obfuscation and DLL Hijacking at a variety of security conferences. By sharing his research, publishing related tools and his involvement in the open source LOLBAS project, he aims to give back to the community he learnt so much from.