How to Prevent DLL Hijacking & Mock Folder Exploits

Security researchers have recently identified a new technique that allows simple DLL hijacking of privileged processes in Windows 10 by abusing a combination of file system permissions, how Windows validates files, signatures and their paths, and how Windows searches for DLLs to be loaded. Left alone, this vulnerability can allow a user to spoof the system into launching processes with modified DLLs present. The modified DLL could contain code that triggers other processes or tasks of the attackers choosing. In the aforementioned article, the modified DLL is used to launch an elevated instance of the Windows Command Processor, bypassing the protection Windows provides.

Mock directories masquerade as a legitimate path, typically by appending a trailing space to the folder name, and Windows incorrectly checks a file running from this path against the contents of the legitimate path instead. This means that users may run and elevate an apparently genuine application from a mock directory, which loads a malicious DLL named to match a legitimate DLL loaded by the application that an attacker has also placed in their mock directory.

Windows User Account Control (UAC)), a protection mechanism introduced in Windows Vista, asks the user to confirm if the user wishes to run an application with elevated permissions before it is executed. It appears that, unlike many other UAC bypass techniques, this one has induced Microsoft to work on a fix. However, as of right now, there are limited native mitigations available.

By using BeyondTrust Privilege Management for Windows (part of BeyondTrust’s Endpoint Privilege Management solution), organizations can easily prevent attackers from leveraging mock folders. Let’s briefly review some simple, yet highly effective configurations, that enable this capability.

Note: The following was performed in the BeyondTrust labs using QuickStart Policy’s “All Users” and “Low Flexibility” Workstyle’s enabled (you can apply these definitions to a Block Rule at the top of any Workstyle to prevent the DLL hijacking):

Using the Quick Start Policy, create a new Application Definition within the “Block – Blacklisted Apps” Application Group with the following criteria:

This will protect executables, but you could use this Regular Expression (RegEx) with other application types. The key to this configuration is leveraging a Regular Expression criteria to identify the characteristics of a mock directory in the command line.

The Regular Expression breaks down as follows:

.* - Any number of any characters

- A space character (the mock directory characteristic of a trailing space)

\\ - A literal slash, followed by

.* - Any number of any characters

When performing tests in BeyondTrust labs to confirm the effectiveness of this Privilege Management for Windows technique, we validated that it blocks applications launched from mock folders, while also allowing legitimate applications (in non-mock Windows folders) to correctly launch. We also tested additional paths (such as Program Files, etc.), which might also have been targeted.

The screenshot below shows the resulting Endpoint Privilege Management Block Message when running applications from the "c:\Windows \system32" mock folder we created, having matched the Regular Expression based definition in our "Block - Blacklisted Apps" Application Group.

The prompt clearly shows the file path with its additional space, and informs the user that it has prevented the application from executing. A corresponding Audit event was also created, which provides us with a strong indication of attack. In addition to being collected into the BeyondTrust solution’s reporting system, this data can be integrated into your SIEM to generate alerts.

As with the Application Rule, the user was presented with a prompt that clearly shows the file path, with its additional space. The prompt informs the user that it has prevented the creation of this folder. The corresponding Audit event was created, which again provides us with a strong indication of attack.

The screenshot below shows the resulting Endpoint Privilege Management Block Message, and subsequent Windows prompt, when attempting to access an existing mock folder.

How to Prevent DLL Hijacking of Trusted Microsoft Applications with Privilege Management for Windows using The QuickStart Policy

When users create a copy of an existing trusted application in another location, they are effectively creating a new file and, as such, they are the creator/owner of the new file. The ownership of this file is another powerful characteristic, which allows BeyondTrust’s Privilege Management for Windows solution to distinguish between system files and files created by end users. Creating this distinction allows the files to be treated differently, even though they are basically the same file.

Under an Endpoint Privilege Management policy, a copy of CMD on the user's desktop is treated as an exception, not because of where the file is, but because of who owns the file and how that changes the risk profile of the application.

Using the Low Flexibility Workstyle in the QuickStart Policy, a user would receive a Challenge/Response prompt, which requires the user to seek approval from someone to continue their action (although we can still audit the attempt, even if they decide to cancel).

This may mean contacting the Service Desk, for example, via BeyondTrust’s ServiceNow integration, or just by picking up the phone and asking a deskside support engineer to assist them. The key takeaway here is that the user cannot continue without explicit approval.

Privilege Management for Windows & Mac QuickStart Policies

QuickStart Templates are flexible, out-of-the-box workstyles that let you immediately eliminate admin rights for everyone on day 1—without disrupting the business.

The solution’s built-in policies are based on our experience across thousands of deployments, including some of the most complex IT environments across the world. And the policies work immediately out-of-the-box. This rapid on-boarding process means you can remove admin rights overnight without productivity loss.

Templates work for all users, from the least-privileged desktop user to advanced developers and sysadmins.

Our default settings cover 80% of use cases. Exception handling covers the rest. And recorded behavioral data lets you make policy improvements over time for each specific user group.