PowerShell script to find, report, and mitigate (where possible) EXEs with exploitable DLLs
If a vulnerable Microsoft DLL is properly code-signed, the script will auto-remediate the vulnerability.
Once tested successfully, I recommend running this tool on your organization's standard Windows
desktop deployment image, verifying all works well, then use the resulting yyyy-MM-dd_HH-mm_New.xml
file to deploy mitigations to the fleet via GPO (recommended and required if other Defender settings are GPO-managed),
or using:
Set-ProcessMitigation -PolicyFilePath .\yyyy-MM-dd_HH-mm_New.xml
Assumptions must be made by this tool as it scans and remediates executables. For these cases, we have Exceptions.txt which is pre-loaded with known exceptions:
- A vulnerable Microsoft EXE that needs to load an unsigned DLL that we have not scanned for (somewhat likely).
- The Microsoft DLL we found is not the one that the EXE will load (not common).
- A third party application loads Microsoft DLLs in addition to other unsigned DLLs (common).
- Take a full OS backup if necessary (ie. if this is not a fresh deployment image or test box)
- Download the latest release ZIP
- Right-click on the ZIP and select Properties
- Click "Unblock," then "OK"
- Extract to the location of your choice
- Open an Administrator Powershell window
- Run RemediateDLLHijack.ps1
- Note, this process takes a while, as it must iterate through all Microsoft paths to check for signed DLLs. Expect up to seven hours of runtime on a modern PC.
- You may see a number of "WARNING: Error while setting ..." console messages. These can be safely ignored.
- After a completed run, find the CSV file and open with your favorite editor
- Column 1 indicates whether the tool remediated the vulnerability or not
- Any entires listes as, "AUTO-MITIGATED!" were mitigated using Microsoft Process Mitigation
- Any entries listed as, "INTERVENTION REQD" are likely 3rd party DLLs you should evaluate
- Note: "INTERVENTION REQD" executables that load DLLs found during your scan may not exist on your machine. The results are included to ensure full coverage.
- Open an Administrator Powershell window
- For each executable you want to allow unsigned DLL loading on (exchange exename.exe for the actual executable name):
Set-ProcessMitigation -Disable MicrosoftSignedOnly -Name exename.exe
- Navigate to the folder where the tool was run
- Open the CSV file and filter out all blank entries from the "Rollback Cmd" column
- Copy the "Rollback Cmd" column data from all of the populated rows and paste into notepad, saving as a text file
- Open an Administrator Powershell window
- Copy/paste the commands from your text file to revert all changes
- Restore from backup
- If your Windows install is not 100% default (\Windows, \Program Files, \ProgramData folders are not all located on the C: drive), you will have to manually edit the script to handle this scenario