Bypass Record

DLL Side-Loading × Xcitium OpenEDR

A publicly-reported instance of DLL Side-Loading bypassing Xcitium OpenEDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Xcitium OpenEDR

Technique

DLL Side-Loading

MITRE ATT&CK

T1574.002

Confidence

High

Severity

High

Status

poc

Disclosed

2024-02-22

Config / version noted

Not stated

Provenance

scavengersecurity.com
disclosed 2024-02-22 · original source · via exa

Reported as

the driver does not verify the signature of the DLL it injects, and it searches for the DLL in an unprotected path (System32) before the protected installation path

Mechanism

The OpenEDR driver uses kernel callbacks to inject a hooking DLL (edrpm64.dll or edrpm32.dll) into new processes. The APC injection technique lacks signature verification, and the driver first looks for the DLL in System32, which is not protected against tampering. An attacker with high integrity can rename the original DLL and place a malicious one in System32; the driver then loads and injects the malicious DLL into all monitored processes.

Detection & mitigation

Monitor for unexpected DLLs being loaded from System32 by the EDR's injection driver, especially if the DLL lacks a valid signature or has a recently changed hash. Mitigation: enforce driver signature verification for injected DLLs and restrict write access to the EDR's installation and DLL search paths to SYSTEM only.

DLL Side-Loading has also been recorded against

eScan ESET McAfee Microsoft SentinelOne Zabbix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.