Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: MSDN Manifests) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. (Citation: Stewart 2014)Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. Upon execution, calc.exe will be opened.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| process_name | Name of the created process | string | calculator.exe |
| gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | path | PathToAtomicsFolder\T1073\bin\GUP.exe |
#{gup_executable}taskkill /F /IM #{process_name} >nul 2>&1if (Test-Path #{gup_executable}) {exit 0} else {exit 1} New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1073/bin/GUP.exe" -OutFile "#{gup_executable}"