NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Videos
    • Glossary
    • Infographics
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

How to Prevent DLL Hijacking & Mock Folder Exploits

September 1, 2020

  • Blog
  • Archive
  1. Home
  2. Blog
  3. How to Prevent DLL Hijacking & Mock Folder Exploits

Security researchers have recently identified a new technique that allows simple DLL hijacking of privileged processes in Windows 10 by abusing a combination of file system permissions, how Windows validates files, signatures and their paths, and how Windows searches for DLLs to be loaded. Left alone, this vulnerability can allow a user to spoof the system into launching processes with modified DLLs present. The modified DLL could contain code that triggers other processes or tasks of the attackers choosing. In the aforementioned article, the modified DLL is used to launch an elevated instance of the Windows Command Processor, bypassing the protection Windows provides.

Mock directories masquerade as a legitimate path, typically by appending a trailing space to the folder name, and Windows incorrectly checks a file running from this path against the contents of the legitimate path instead. This means that users may run and elevate an apparently genuine application from a mock directory, which loads a malicious DLL named to match a legitimate DLL loaded by the application that an attacker has also placed in their mock directory.

Windows User Account Control (UAC)), a protection mechanism introduced in Windows Vista, asks the user to confirm if the user wishes to run an application with elevated permissions before it is executed. It appears that, unlike many other UAC bypass techniques, this one has induced Microsoft to work on a fix. However, as of right now, there are limited native mitigations available.

Preventing Mock Folder Attacks with BeyondTrust Privilege Management for Windows

By using BeyondTrust Privilege Management for Windows (part of BeyondTrust’s Endpoint Privilege Management solution), organizations can easily prevent attackers from leveraging mock folders. Let’s briefly review some simple, yet highly effective configurations, that enable this capability.

Using Application Rules to Prevent Mock Folder Exploits


Note: The following was performed in the BeyondTrust labs using QuickStart Policy’s “All Users” and “Low Flexibility” Workstyle’s enabled (you can apply these definitions to a Block Rule at the top of any Workstyle to prevent the DLL hijacking):

Using the Quick Start Policy, create a new Application Definition within the “Block – Block listed Apps” Application Group with the following criteria:

Application Type: Executable

Command Line: .* \\.*

Matching Criteria: Regular Expressions



This will protect executables, but you could use this Regular Expression (RegEx) with other application types. The key to this configuration is leveraging a Regular Expression criteria to identify the characteristics of a mock directory in the command line.

The Regular Expression breaks down as follows:

.* - Any number of any characters

- A space character (the mock directory characteristic of a trailing space)

\\ - A literal slash, followed by

.* - Any number of any characters

When performing tests in BeyondTrust labs to confirm the effectiveness of this Privilege Management for Windows technique, we validated that it blocks applications launched from mock folders, while also allowing legitimate applications (in non-mock Windows folders) to correctly launch. We also tested additional paths (such as Program Files, etc.), which might also have been targeted.

The screenshot below shows the resulting Endpoint Privilege Management Block Message when running applications from the "c:\Windows \system32" mock folder we created, having matched the Regular Expression based definition in our "Block - Block listed Apps" Application Group.

Mock Folder exploit blocked by using Application Rules

The prompt clearly shows the file path with its additional space, and informs the user that it has prevented the application from executing. A corresponding Audit event was also created, which provides us with a strong indication of attack. In addition to being collected into the BeyondTrust solution’s reporting system, this data can be integrated into your SIEM to generate alerts.

Using Content Control Rules to Prevent Mock Folder Exploits

Taking our proactive approach with Privilege Management for Windows further, we can even prevent the creation of mock folders and generate audit events to indicate when an attempt to create one has been blocked. Here’s how this is accomplished. If you are using our solution’s Quick Start Policy, create a new Content Definition within a new Content Group and use the following criteria:

File/Folder: .* \\.*

Matching Criteria: Regular Expressions

Similar to the Application Rule method, the key to this configuration is leveraging a Regular Expression criteria to identify the characteristics of a mock directory.

The Regular Expression breaks down as follows:

.* - Any number of any characters

- A space character (the mock directory characteristic of a trailing space)

\\ - A literal slash, followed by

.* - Any number of any characters

When performing tests in BeyondTrust labs to confirm the effectiveness of this technique, we validated that it blocks the creation of new mock folders and blocks access to existing mock folders.

The screenshot below shows the resulting Endpoint Privilege Management Block Message when running the command to create a new mock folder within PowerShell: New-Item "\\?\C:\Windows \System32" -ItemType Directory

Mock Folder Exploit Blocked within PowerShell by Using Content Rules

As with the Application Rule, the user was presented with a prompt that clearly shows the file path, with its additional space. The prompt informs the user that it has prevented the creation of this folder. The corresponding Audit event was created, which again provides us with a strong indication of attack.

The screenshot below shows the resulting Endpoint Privilege Management Block Message, and subsequent Windows prompt, when attempting to access an existing mock folder.

Mock folder exploit blocked using content rules

In this example, the user is again presented with a prompt clearly showing the file path with its additional space. The prompt informs the user that it has prevented the user from accessing this folder. The corresponding Audit event was created, which again provides us with a strong indication of attack.

How to Prevent DLL Hijacking of Trusted Microsoft Applications with Privilege Management for Windows using The QuickStart Policy

When users create a copy of an existing trusted application in another location, they are effectively creating a new file and, as such, they are the creator/owner of the new file. The ownership of this file is another powerful characteristic, which allows BeyondTrust’s Privilege Management for Windows solution to distinguish between system files and files created by end users. Creating this distinction allows the files to be treated differently, even though they are basically the same file.

Under an Endpoint Privilege Management policy, a copy of CMD on the user's desktop is treated as an exception, not because of where the file is, but because of who owns the file and how that changes the risk profile of the application.

Using the Low Flexibility Workstyle in the QuickStart Policy, a user would receive a Challenge/Response prompt, which requires the user to seek approval from someone to continue their action (although we can still audit the attempt, even if they decide to cancel).

This may mean contacting the Service Desk, for example, via BeyondTrust’s ServiceNow integration, or just by picking up the phone and asking a deskside support engineer to assist them. The key takeaway here is that the user cannot continue without explicit approval.

Blocked Mock Folder exploit using Windows Quick Start Policy settings

Privilege Management for Windows & Mac QuickStart Policies

QuickStart Templates are flexible, out-of-the-box workstyles that let you immediately eliminate admin rights for everyone on day 1—without disrupting the business.

The solution’s built-in policies are based on our experience across thousands of deployments, including some of the most complex IT environments across the world. And the policies work immediately out-of-the-box. This rapid on-boarding process means you can remove admin rights overnight without productivity loss.

Templates work for all users, from the least-privileged desktop user to advanced developers and sysadmins.

Our default settings cover 80% of use cases. Exception handling covers the rest. And recorded behavioral data lets you make policy improvements over time for each specific user group.

Privilege Management for Windows & Mac Key Capabilities

BeyondTrust Privilege Management for Windows & Mac pairs powerful least privilege management and application control capabilities, delivering fast, unmatched risk-reduction potential. Grant the right privilege to the right user or application, only for the moments it is needed. Simplified deployment models and a single, comprehensive audit trail drive quick time-to-value and streamline compliance.

Least Privilege: Restrict admin rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities.

Passwordless Administration: Perform administrative functions on an endpoint without the need for privileged or administrator credentials – taking away the biggest and highest prize attack vector.

Application Control: Automated and elegant exception handling give you total control over what users can install or run. Gives IT back control over applications.

QuickStart Templates: Flexible workstyle templates let you implement least privilege policies for everyone, even sysadmins. Consistently institutionalize policies in a multiple OS environment – centrally, easily.

Trusted Application Protection: The pre-built templates stop attacks involving trusted apps, catching bad scripts and infected email attachments immediately. Stops the trojan horse, fileless attack (living off the land), and more.

Flexible Deployment Options: Select from multiple deployment models, including on-prem and SaaS, to best suit your business needs, compliance requirements, and security ecosystem.

Power Rules: Use PowerShell scripts to automate workflows, create custom behaviors, or build integrations with ITSM and other tools because your security ecosystem is more than any one product.

The more integrated the ecosystem, the better your security position. To learn more about BeyondTrust Privilege Management for Windows QuickStart policies, watch this 2-min overview video. And, if you have questions or would like to explore the solution further, contact us today.


Photograph of ​Caleb Kershaw

​Caleb Kershaw, Senior QA Engineer

Caleb Kershaw is a Senior QA Engineer on the Privilege Management for Windows team at BeyondTrust. Since Graduating from Staffordshire University (UK), having earned a Bachelor of Science degree in Forensic Computing, Caleb joined Avecto (now part of BeyondTrust) as a member of their Customer Technical Support Team in 2014, Caleb moved over to the Quality Assurance department in 2017 and has been working with the Privilege Management for Windows product for 6+ years.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Infographics
  • Podcast
  • Videos
  • Webinars
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.