You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
3. If an administrator is logged in when the task executes, the malicious DLL runs in the administrator's session at medium integrity.
423
423
4. Chain standard UAC bypass techniques to elevate from medium integrity to SYSTEM privileges.
424
424
425
+
## Case Study: MSI CustomAction Dropper + DLL Side-Loading via Signed Host (wsc_proxy.exe)
426
+
427
+
Threat actors frequently pair MSI-based droppers with DLL side-loading to execute payloads under a trusted, signed process.
428
+
429
+
Chain overview
430
+
- User downloads MSI. A CustomAction runs silently during the GUI install (e.g., LaunchApplication or a VBScript action), reconstructing the next stage from embedded resources.
431
+
- The dropper writes a legitimate, signed EXE and a malicious DLL to the same directory (example pair: Avast-signed wsc_proxy.exe + attacker-controlled wsc.dll).
432
+
- When the signed EXE is started, Windows DLL search order loads wsc.dll from the working directory first, executing attacker code under a signed parent (ATT&CK T1574.001).
433
+
434
+
MSI analysis (what to look for)
435
+
- CustomAction table:
436
+
- Look forentries that run executables or VBScript. Example suspicious pattern: LaunchApplication executing an embedded filein background.
437
+
- In Orca (Microsoft Orca.exe), inspect CustomAction, InstallExecuteSequence and Binary tables.
- Look for multiple small fragments that are concatenated and decrypted by a VBScript CustomAction. Common flow:
442
+
443
+
```vb
444
+
' VBScript CustomAction (high level)
445
+
' 1) Read multiple fragment files from the embedded CAB (e.g., f0.bin, f1.bin, ...)
446
+
' 2) Concatenate with ADODB.Stream or FileSystemObject
447
+
' 3) Decrypt using a hardcoded password/key
448
+
' 4) Write reconstructed PE(s) to disk (e.g., wsc_proxy.exe and wsc.dll)
449
+
```
450
+
451
+
Practical sideloading with wsc_proxy.exe
452
+
- Drop these two files in the same folder:
453
+
- wsc_proxy.exe: legitimate signed host (Avast). The process attempts to load wsc.dll by name from its directory.
454
+
- wsc.dll: attacker DLL. If no specific exports are required, DllMain can suffice; otherwise, build a proxy DLL and forward required exports to the genuine library while running payload in DllMain.
- For export requirements, use a proxying framework (e.g., DLLirant/Spartacus) to generate a forwarding DLL that also executes your payload.
469
+
470
+
- This technique relies on DLL name resolution by the host binary. If the host uses absolute paths or safe loading flags (e.g., LOAD_LIBRARY_SEARCH_SYSTEM32/SetDefaultDllDirectories), hijack may fail.
471
+
- KnownDLLs, SxS, and forwarded exports can influence precedence and must be considered during selection of the host binary and export set.
472
+
425
473
## References
426
474
427
475
- [CVE-2025-1729 - Privilege Escalation Using TPQMAssistant.exe](https://trustedsec.com/blog/cve-2025-1729-privilege-escalation-using-tpqmassistant-exe)
- [TrustedSec – Hack-cessibility: When DLL Hijacks Meet Windows Helpers](https://trustedsec.com/blog/hack-cessibility-when-dll-hijacks-meet-windows-helpers)
0 commit comments