Full Report
In this blog post I am going to describe a new tool (Rattler) that I have been working on and discuss some of the interesting anomalies found while building it. Rattler can be found on our Github repo and was recently discussed at BSides Cape Town. What is Rattler? Rattler helps identify which application DLL’s are vulnerable to DLL preloading attacks. In a nutshell, DLL preloading attacks allow you to trick applications into loading and executing malicious DLL’s. DLL preloading attacks can result in escalation of privileges, persistence and RCE in some cases. While preloading attacks are nothing new, there were some interesting results found. For more information on DLL security, I found this link to be helpful.
Analysis Summary
# Tool/Technique: Rattler
## Overview
Rattler is a custom tool designed to identify applications vulnerable to **DLL Preloading Attacks**. These attacks involve tricking an application into loading and executing a malicious DLL placed in its Current Working Directory (CWD) because the application does not use a Fully Qualified Path (FQP) when loading necessary DLLs, thus triggering the Windows DLL search order. Successful exploitation can lead to privilege escalation, persistence, or Remote Code Execution (RCE).
## Technical Details
- Type: Tool
- Platform: Windows (Implied, due to reliance on Windows APIs and DLL search order)
- Capabilities: Identifies application DLLs vulnerable to preloading attacks by checking if they use an FQP, and automates the process of testing for exploitable conditions.
- First Seen: Discussed at BSides Cape Town; Blog post published December 01, 2016.
## MITRE ATT&CK Mapping
The techniques described primarily focus on gaining initial access post-exploitation or maintaining access and escalating privileges.
- **TA0004 - Privilege Escalation**
- T1546.002 - Event Triggered Execution: DLL Search Order Hijacking
- **TA0003 - Persistence**
- T1546.002 - Event Triggered Execution: DLL Search Order Hijacking
- **TA0002 - Execution**
- T1055 - Process Injection (Leveraged when payload executes)
## Functionality
### Core Capabilities
1. **DLL Identification:** Uses the Windows Process Status API call `EnumProcessModules` to identify all DLLs utilized by a target application executable.
2. **Vulnerability Check:** Filters the identified DLLs to find those that **DO NOT** use a Fully Qualified Path (FQP). These are the artifacts subject to the DLL search order vulnerability.
3. **Target Enumeration & Testing:** Automatically attempts to test the vulnerability by placing a malicious, custom-named DLL in the application's CWD, named to match one of the non-FQP DLLs identified.
### Advanced Features
* **Exploitation Focus:** Unlike auditing tools, Rattler attempts to verify exploitability automatically, sometimes resulting in observed effects like the launching of `calc.exe` upon successful loading of the malicious DLL.
* **Persistence/Escalation Vectoring:** Specifically targets vulnerable applications to facilitate post-exploitation goals like achieving persistence or escalating privileges (e.g., by loading a malicious DLL via a high-privileged installer).
## Indicators of Compromise
*Note: Since Rattler is a scanner/testing tool, system IoCs depend entirely on the payload dropped and executed by the researcher/attacker.*
- File Hashes: N/A (Tool specific hashes not provided)
- File Names: Rattler executable name variants (e.g., `Rattler_32.exe`)
- Registry Keys: N/A
- Network Indicators: Attackers may use reverse shells (e.g., generated via `msfvenom` as suggested in the article: `reverse_tcp LHOST=<LHOST> LPORT=<LPORT>`), but these are payload-dependent.
- Behavioral Indicators:
* An application executable spawning unexpected child processes or executing code paths associated with a legitimate, known DLL, where the DLL file does not exist in its expected system or application directory, but resides in the executable's CWD.
* Watching for the execution of a victim application concurrently with file creation/modification of a matching DLL name into the same directory structure.
## Associated Threat Actors
The article describes the tool's creation and use by the author (**chris** from SensePost) for research, bug bounty submissions, and demonstrating real-world post-exploitation techniques. Specific established threat groups using Rattler explicitly were not named, but the technique (DLL Search Order Hijacking) is widely used by various actors.
## Detection Methods
* **Signature-based detection:** Difficult for a custom testing tool unless specific hashes of the Rattler binaries become widely available.
* **Behavioral detection:** Critical focus should be on monitoring file writes/drops of DLLs into application directories immediately preceding or concurrent with the execution of that application.
* **YARA rules:** Not provided in the context.
## Mitigation Strategies
* **Primary Fix:** Ensure all applications load required DLLs using **Fully Qualified Paths (FQPs)** (e.g., including the full path to the DLL), which bypasses the Windows DLL search order mechanism.
* **Validation:** Implement DLL verification and validation checks where possible to confirm the integrity and expected source location of loaded modules.
## Related Tools/Techniques
* DLL Hijack Audit Kit (Mentioned as a tool for identifying non-FQP DLLs).
* General DLL Search Order Hijacking techniques (as noted under MITRE ATT&CK T1546.002).
* Generic payload generation tools like `msfvenom`.