Sunday 05 July 2026 23:54:55 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

WIKICROOK

Search-order hijacking

Abuse of the order in which software looks for libraries, allowing a rogue DLL to be loaded first.

Search-order hijacking is a technique where an application loads a library from the first location it checks, but an attacker places a rogue DLL earlier in that search path. Because Windows programs often look in predictable directories or nearby folders, a malicious library can be loaded instead of the intended one.

This matters because the trusted executable may still appear normal while hostile code runs inside its process. Attackers use it for stealthy execution, persistence, and defense evasion, especially by targeting signed tools or utilities that defenders are less likely to question. In real attacks, it often shows up as DLL side-loading: a legitimate program launches, then silently imports a malicious module from a writable or unexpected path.

Defenders look for mismatches between a process and the DLLs it loads, unusual module paths, and unsafe search behavior. Application control, safe DLL loading settings, and telemetry such as Sysmon can help expose this abuse.

← WIKICROOK index