In the past two posts of this series, we’ve covered lateral movement through WMI event subscriptions and DCOM, detailing approaches to improve the OpSec of our tradecraft.
In the final post of this series, we will provide an overview of how DLL hijacking can be used for lateral movement. Traditionally, DLL hijacking is more commonly associated with its use in persistence and privilege escalation attacks. However, in certain circumstances it can also be used for lateral movement, as was shown in this post by Dwight Hohnstein from SpecterOps where hijacks were demonstrated using the Service Control Manager. What we will show in this post is that the scope for DLL hijacks for lateral movement is much broader, illustrating examples of how it can be achieved across other services such as WMI and DCOM.