Bypass Record

DLL Side-Loading × ESET Inspect Connector for Windows

A publicly-reported instance of DLL Side-Loading bypassing ESET Inspect Connector for Windows, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

ESET Inspect Connector for Windows

Technique

DLL Side-Loading

MITRE ATT&CK

T1574.002

Confidence

High

Severity

High

Status

patched

Disclosed

2026-01-30

Config / version noted

Not stated

Provenance

labs.infoguard.ch
disclosed 2026-02-17 · original source · via exa
feedly.com
disclosed 2026-01-30 · original source · via exa
feedly.com
disclosed 2026-01-30 · original source · via exa

Reported as

A low-privileged user can create this directory and place a malicious openssl.cnf that uses the dynamic_path directive to load an attacker-controlled DLL.

Mechanism

The ESET Inspect Connector's ElConnector.exe (running as SYSTEM) loads OpenSSL with a hardcoded config path C:\src\vcpkg\packages\openssl_x64-windows-static\openssl.cnf. A low-privileged user can create this directory and place a malicious openssl.cnf that uses the dynamic_path directive to load an attacker-controlled DLL. When the service restarts or initializes OpenSSL, the DLL executes with SYSTEM privileges inside the EDR process, enabling privilege escalation and potential EDR bypass.

Detection & mitigation

Monitor for unexpected DLL loads into security-critical processes (e.g., EDR agents) from user-writable paths like C:\src\vcpkg\packages\, especially when the loading process runs as SYSTEM. Mitigate by applying the vendor patch and restricting write access to directories used by security software.

DLL Side-Loading has also been recorded against

eScan McAfee Microsoft SentinelOne Xcitium Zabbix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.