Preventing Mock Folder Attacks with BeyondTrust Privilege Management for Windows
Using Content Control Rules to Prevent Mock Folder Exploits
Taking our proactive approach with Privilege Management for Windows further, we can even prevent the creation of mock folders and generate audit events to indicate when an attempt to create one has been blocked. Here’s how this is accomplished. If you are using our solution’s Quick Start Policy, create a new Content Definition within a new Content Group and use the following criteria:
File/Folder: .* \\.*
Matching Criteria: Regular Expressions
Similar to the Application Rule method, the key to this configuration is leveraging a Regular Expression criteria to identify the characteristics of a mock directory.
The Regular Expression breaks down as follows:
.* - Any number of any characters
- A space character (the mock directory characteristic of a trailing space)
\\ - A literal slash, followed by
.* - Any number of any characters
When performing tests in BeyondTrust labs to confirm the effectiveness of this technique, we validated that it blocks the creation of new mock folders and blocks access to existing mock folders.
The screenshot below shows the resulting Endpoint Privilege Management Block Message when running the command to create a new mock folder within PowerShell: New-Item "\\?\C:\Windows \System32" -ItemType Directory
Privilege Management for Windows & Mac Key Capabilities
BeyondTrust Privilege Management for Windows & Mac pairs powerful least privilege management and application control capabilities, delivering fast, unmatched risk-reduction potential. Grant the right privilege to the right user or application, only for the moments it is needed. Simplified deployment models and a single, comprehensive audit trail drive quick time-to-value and streamline compliance.
Least Privilege: Restrict admin rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities.
Passwordless Administration: Perform administrative functions on an endpoint without the need for privileged or administrator credentials – taking away the biggest and highest prize attack vector.
Application Control: Automated and elegant exception handling give you total control over what users can install or run. Gives IT back control over applications.
QuickStart Templates: Flexible workstyle templates let you implement least privilege policies for everyone, even sysadmins. Consistently institutionalize policies in a multiple OS environment – centrally, easily.
Trusted Application Protection: The pre-built templates stop attacks involving trusted apps, catching bad scripts and infected email attachments immediately. Stops the trojan horse, fileless attack (living off the land), and more.
Flexible Deployment Options: Select from multiple deployment models, including on-prem and SaaS, to best suit your business needs, compliance requirements, and security ecosystem.
Power Rules: Use PowerShell scripts to automate workflows, create custom behaviors, or build integrations with ITSM and other tools because your security ecosystem is more than any one product.
The more integrated the ecosystem, the better your security position. To learn more about BeyondTrust Privilege Management for Windows QuickStart policies, watch this 2-min overview video. And, if you have questions or would like to explore the solution further, contact us today.
Caleb Kershaw, Senior QA Engineer
Caleb Kershaw is a Senior QA Engineer on the Privilege Management for Windows team at BeyondTrust. Since Graduating from Staffordshire University (UK), having earned a Bachelor of Science degree in Forensic Computing, Caleb joined Avecto (now part of BeyondTrust) as a member of their Customer Technical Support Team in 2014, Caleb moved over to the Quality Assurance department in 2017 and has been working with the Privilege Management for Windows product for 6+ years.