Exploiting DLL Search Order Hijacking in Microsoft Edge’s Trusted Directory

This technique exploits DLL search order hijacking by placing a malicious well_known_domains.dll in a directory writable by the user, which is loaded by a trusted, signed Microsoft binary, specifically Microsoft Edge. To reproduce this exploit, the malicious well_known_domains.dll must be copied to the directory C:\Users\USERNAME\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\x.x.x.x. Then, by launching or closing Microsoft Edge, the browser will attempt to load the DLL from this path, thereby executing the payload.