Hijacking Attacks (DLL, Token, Session)

Hijacking Attacks (DLL, Token, Session) – A Comprehensive Guide for GIAC GCIH

Introduction

Hijacking attacks are among the most critical post-exploitation techniques tested on the GIAC Certified Incident Handler (GCIH) exam. These attacks allow adversaries to escalate privileges, maintain persistence, and evade detection by leveraging legitimate system mechanisms. Understanding DLL hijacking, token hijacking, and session hijacking is essential not only for passing the exam but also for real-world incident handling and response.

Why Are Hijacking Attacks Important?

Hijacking attacks are important for several reasons:

1. Privilege Escalation: Attackers can gain SYSTEM-level or administrative privileges without exploiting a traditional vulnerability.
2. Evasion: Because these techniques leverage legitimate operating system features (DLLs, tokens, sessions), they often bypass traditional security controls and antivirus solutions.
3. Persistence: Hijacking mechanisms can allow attackers to maintain long-term access to compromised systems.
4. Prevalence: These techniques are widely used by real-world threat actors, APT groups, and are featured prominently in frameworks like MITRE ATT&CK.
5. Exam Relevance: The GCIH exam specifically tests your ability to identify, explain, and respond to these attack types.

---

1. DLL Hijacking

What Is DLL Hijacking?

DLL (Dynamic Link Library) hijacking is an attack technique where an adversary exploits the way Windows applications search for and load DLL files. When an application does not specify the full path to a required DLL, the operating system follows a predefined search order to locate the file. An attacker can place a malicious DLL in a location that is searched before the legitimate DLL's location, causing the application to load the attacker's code instead.

How Does DLL Hijacking Work?

The Windows DLL search order typically follows this sequence:

1. The directory from which the application was loaded
2. The system directory (e.g., C:\Windows\System32)
3. The 16-bit system directory
4. The Windows directory
5. The current working directory
6. Directories listed in the PATH environment variable

Attack Steps:

- The attacker identifies an application that loads a DLL without specifying the full path.
- The attacker determines which directories are searched and identifies a writable location that is searched before the legitimate DLL's directory.
- The attacker creates a malicious DLL with the same name as the expected DLL and places it in the prioritized directory.
- When the vulnerable application runs, it loads the malicious DLL instead of (or before) the legitimate one.
- The attacker's code executes with the same privileges as the application.

Common Variants:

- DLL Search Order Hijacking: Exploiting the default search order as described above.
- DLL Side-Loading: Placing a malicious DLL alongside a legitimate application, often used with signed executables to appear trustworthy.
- Phantom DLL Hijacking: Targeting DLLs that an application tries to load but that don't actually exist on the system.
- DLL Redirection: Using .local files or manifests to redirect DLL loading.

Tools Used:
- Process Monitor (ProcMon) – to identify DLL search order vulnerabilities
- PowerSploit – contains modules for DLL hijacking
- Robber – automated DLL hijacking detection

Detection and Mitigation:
- Use full paths when loading DLLs in application code
- Enable SafeDllSearchMode (enabled by default in modern Windows)
- Monitor for unexpected DLL loads using Sysmon or EDR solutions
- Apply the principle of least privilege to directory permissions
- Use application whitelisting

MITRE ATT&CK Reference: T1574.001 (Hijack Execution Flow: DLL Search Order Hijacking)

---

2. Token Hijacking (Token Manipulation/Impersonation)

What Is Token Hijacking?

Token hijacking, also known as access token manipulation, involves an attacker stealing or manipulating Windows access tokens to impersonate another user or escalate privileges. Every process in Windows runs under a security context defined by an access token. If an attacker can obtain or duplicate a token from a higher-privileged process, they can execute code as that user—including SYSTEM.

How Does Token Hijacking Work?

Windows uses two types of tokens:

- Primary Tokens: Assigned to processes and represent the security context of the user who started the process.
- Delegation Tokens: Created when a user logs in interactively (e.g., via RDP, console logon). These tokens can be used to impersonate the user on local and remote systems.
- Impersonation Tokens: Created for non-interactive sessions (e.g., accessing a network share). These are limited in scope but can still be abused.

Attack Steps:

1. The attacker gains initial access and obtains at least local administrator or SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege.
2. The attacker enumerates available tokens on the system (e.g., using tools like Incognito or Meterpreter's token commands).
3. The attacker identifies a token belonging to a high-privilege user (e.g., Domain Admin, SYSTEM).
4. The attacker impersonates or duplicates that token.
5. The attacker launches a new process using the stolen token, effectively operating as the target user.

Key Techniques:

- Token Impersonation: Using an existing impersonation or delegation token to act as another user. Tools like incognito (standalone or within Meterpreter) list and impersonate available tokens.
- Token Stealing/Duplication: Using API calls like DuplicateTokenEx() to create a copy of another process's token.
- Potato Attacks (Hot Potato, Juicy Potato, Sweet Potato, PrintSpoofer): These are privilege escalation techniques that abuse Windows services and token impersonation to escalate from service accounts to SYSTEM. They exploit the SeImpersonatePrivilege that service accounts commonly hold.
- Pass-the-Token: Similar conceptually to Pass-the-Hash, where a token is reused across systems.

Tools Used:
- Meterpreter (steal_token, incognito module)
- Incognito (standalone)
- PowerShell with Windows API calls (Invoke-TokenManipulation from PowerSploit)
- JuicyPotato, PrintSpoofer, RoguePotato

Detection and Mitigation:
- Monitor for unusual token manipulation API calls (e.g., Event ID 4624 with Logon Type 9 - NewCredentials)
- Restrict SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege to only necessary accounts
- Use Credential Guard to protect tokens
- Monitor for processes spawning under unexpected user contexts
- Implement least privilege principles

MITRE ATT&CK Reference: T1134 (Access Token Manipulation) and sub-techniques T1134.001, T1134.002, T1134.003

---

3. Session Hijacking

What Is Session Hijacking?

Session hijacking is the act of taking over an active user session—either a network/web session or a local/remote desktop session—to gain unauthorized access. The attacker effectively becomes the legitimate user without needing to authenticate.

Types of Session Hijacking:

A. Network/Web Session Hijacking:

This involves stealing or predicting session identifiers (session IDs, cookies, tokens) used by web applications or network protocols to maintain state.

How It Works:
- Session Sniffing: Capturing session cookies or tokens by sniffing network traffic (especially over unencrypted HTTP).
- Cross-Site Scripting (XSS): Injecting malicious scripts that steal session cookies from a victim's browser.
- Session Fixation: The attacker sets a known session ID for the victim before they log in. Once the victim authenticates, the attacker uses the pre-set session ID to access the authenticated session.
- Session Prediction: Guessing or predicting session IDs due to weak randomization algorithms.
- Man-in-the-Middle (MitM): Intercepting and manipulating traffic between client and server to steal or inject session data.

Tools:
- Wireshark, tcpdump (sniffing)
- Burp Suite (intercepting and manipulating web sessions)
- Ettercap, Bettercap (MitM attacks)
- Hamster/Ferret (cookie sidejacking)
- Cookie Cadger

B. RDP/Local Session Hijacking:

On Windows systems, an attacker with SYSTEM privileges can hijack another user's active or disconnected RDP/console session without knowing their password.

How It Works:
- The attacker obtains SYSTEM-level access on a Windows machine.
- The attacker uses the tscon command to switch to another user's session: tscon [target_session_id] /dest:[current_session_name]
- This connects the attacker to the target user's desktop session directly—no password required.
- This works for both active and disconnected sessions.

Tools:
- tscon.exe (built-in Windows tool)
- PsExec (to obtain SYSTEM context)
- Mimikatz (ts::sessions)

Detection and Mitigation:

For Web/Network Session Hijacking:
- Enforce HTTPS/TLS everywhere
- Use Secure and HttpOnly flags on cookies
- Implement strong session ID generation (high entropy, randomness)
- Regenerate session IDs after authentication
- Implement session timeouts
- Use anti-CSRF tokens
- Validate session binding (IP, user-agent)

For RDP/Local Session Hijacking:
- Prevent SYSTEM-level compromise in the first place
- Log off disconnected sessions rather than leaving them disconnected
- Set Group Policy to limit session lifetimes
- Monitor for tscon.exe usage and unusual session switching (Event ID 4778, 4779)
- Use Remote Credential Guard

MITRE ATT&CK Reference: T1563 (Remote Service Session Hijacking), T1550.004 (Web Session Cookie)

---

Comparison Table: DLL vs. Token vs. Session Hijacking

Aspect	DLL Hijacking	Token Hijacking	Session Hijacking
Target	Application DLL loading mechanism	Windows access tokens	Active user sessions (web or RDP)
Primary Goal	Code execution, persistence, privilege escalation	Privilege escalation, lateral movement	Unauthorized access, impersonation
Prerequisite	Write access to a directory in the DLL search path	Local admin or SeImpersonatePrivilege	Network access (web) or SYSTEM access (RDP)
OS/Platform	Windows	Windows	Cross-platform (web); Windows (RDP)
Common Tools	ProcMon, PowerSploit	Incognito, Meterpreter, JuicyPotato	Burp Suite, tscon, Ettercap

---

Exam Tips: Answering Questions on Hijacking Attacks (DLL, Token, Session)

1. Know the Definitions Cold: Be able to clearly distinguish between DLL hijacking, token hijacking, and session hijacking. The exam may present scenarios and ask you to identify which type of attack is being described.

2. Understand the Prerequisites: Questions often test whether you know what level of access or conditions an attacker needs before performing each attack. For example:
- DLL hijacking requires write access to a directory in the search path
- Token impersonation typically requires SeImpersonatePrivilege or local admin
- RDP session hijacking requires SYSTEM-level access

3. Focus on the DLL Search Order: You should be able to list or recognize the Windows DLL search order. Exam questions may ask where a malicious DLL would need to be placed to be loaded before the legitimate one.

4. Differentiate Token Types: Know the difference between primary tokens, delegation tokens, and impersonation tokens. Understand when each type is created and what capabilities they provide to an attacker.

5. Know the Tools: Be familiar with the tools associated with each attack type. The exam frequently references tools like Incognito, Meterpreter's token manipulation commands, ProcMon, tscon, and various Potato exploits. You should know what each tool does and in which attack context it is used.

6. Understand Detection Methods: The GCIH exam heavily emphasizes incident handling. Know which Windows Event IDs, log sources, and behavioral indicators are associated with each hijacking technique. For example:
- Sysmon Event ID 7 (Image Loaded) for DLL hijacking
- Event ID 4624 Logon Type 9 for token manipulation
- Event IDs 4778/4779 for session reconnect/disconnect

7. Map to MITRE ATT&CK: Be familiar with the relevant ATT&CK technique IDs. The exam may reference them directly or describe techniques in ATT&CK terms.

8. Scenario-Based Thinking: Many GCIH questions present a scenario (e.g., log entries, command-line output, attack descriptions) and ask you to identify the attack. Practice identifying hijacking attacks from contextual clues such as:
- An unexpected DLL being loaded from an unusual directory → DLL hijacking
- An attacker running steal_token or impersonate_token commands → Token hijacking
- An attacker using tscon to connect to session 2 → RDP session hijacking
- Session cookies being replayed → Web session hijacking

9. Understand Mitigations: Be prepared to answer questions about how to prevent or mitigate each type of hijacking. Know the specific Group Policy settings, coding best practices, and security controls for each.

10. Link to the Kill Chain/Incident Handling Process: Understand where each hijacking technique fits in the attack lifecycle. DLL hijacking is often used for persistence or execution. Token hijacking is typically a privilege escalation or lateral movement technique. Session hijacking can be used for initial access or lateral movement. Be ready to describe the appropriate incident handling steps (identification, containment, eradication, recovery) for each.

11. Don't Confuse Similar Concepts: A common exam pitfall is confusing token hijacking with Pass-the-Hash or Pass-the-Ticket. While related, these are distinct techniques. Token manipulation involves stealing or duplicating access tokens on a local system, while PtH/PtT involve reusing authentication material across the network.

12. Use Your Index Effectively: Since the GCIH is an open-book exam, create detailed index entries for each hijacking type, including page references for definitions, tools, detection methods, and mitigations. Use tabs or color-coding to quickly locate hijacking-related content during the exam.

Summary: Hijacking attacks represent a core category of post-exploitation techniques that every GCIH candidate must master. By understanding the mechanics, prerequisites, tools, detection strategies, and mitigations for DLL, token, and session hijacking, you will be well-prepared to tackle exam questions on these topics and apply this knowledge in real-world incident handling scenarios.