Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: MSDN Manifests) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. (Citation: Stewart 2014)Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| process_name | Name of the created process | string | calculator.exe |
$PathToAtomicsFolder\T1073\bin\GUP.exe
taskkill /F /IM #{process_name}