The New Threat That Bypasses Windows 10's Security With Mock Folders
New research highlights that an attacker can now use a streamlined DLL hijacking and mock directory mechanism to circumvent Windows 10's UAC protection feature and execute elevated commands without alerting the user.
The Windows UAC protection mechanism is available on devices running Windows Vista and above. Daniel Gebert, a security researcher, was the first to illustrate the technique whereby he bypassed the protection through DLL hijacking and mock directories.
Here’s a breakdown of how this technique works and the recommended solutions for thwarting this loophole.
What Are Mock Directories In Windows 10?
Mock directories are imitation directories with trailing spaces. For instance, a legitimate Windows directory would look like C:\Windows\System32\. On the other hand, a mock directory will look like C:\Windows\ System32\. As you can see, both the directories look almost similar. The only difference, however, is the trailing space between Windows\ and System32\.
It’s also important to understand that you can’t create mock directories using Windows native UI. You can either do it using the Command Prompt (CMD) or a PowerShell Script Editor. Either way, you’ll only be able to create sub-directories and not parent directories.
How Does This Threat Work?
Daniel Gebert found around 300 Windows 10 executables that were easily vulnerable to DLL hijacking and also permitted attackers to bypass the UAC security feature. He also listed nearly every Windows 10 executable file that is prone to DLL hijacking..
According to Daniel’s blog, he started working with a normal Google search, regarding the executables in the format “C:\Windows\System32”. However, he ended up with an incomplete list of around 616 executables and converted it into a mock directory termed as “C:\Windows \System32”.
Later, he modified the template of “version.dll” to a progeny CMD shell. He wasn’t able to rewrite all the DLL files, he used particular templates by converting them to a hijacked file named .dll file. He also mentioned that the mock folders come with an attacking approach.
Once the compiling of the .dll version is carried out, he copied the same to a mock folder named “C:Windows \System32” folder. On the execution of every file, he hoped to load it in the form of a “version.dll” file which is surely a disappointing approach for him, yet he attempted it. Next, he observed how the .dll files were loaded through an executable Process Monitor with the help of the Microsoft Sysinternals Suite.
On the execution of particular files, he observed that the “profapi.dll” file was loaded with some executables. By simply renaming the “version.dll” files to “profapi.dll”, Daniel administered the Command prompt shell.
The possible solution for such mock attacks is to set a proper UAC alert level with the utmost security. You can always adjust these security levels as per your preferences. However, when such levels are adjusted, UAC wouldn’t notify the user whenever any changes are made in Windows settings. These notifications will only be sent out when an application makes any changes or any similar effort to the core files.
Here are some things that you can do:
- Set the highest-level security to allow UAC to generate real-time alerts when changes are made by the user
- Enterprise users need to set UAC security at the highest level
- Change the settings by simply working on the following path: Control Panel>System and Security>Security and Management>Change User Account Control Settings
There are many examples on the internet about the UAC bypass technique and how to block them. Although many vendors don’t consider UAC a serious issue, it still needs to be looked after.
Fortunately, you can employ an extra layer of security on top of Windows Defender to ensure that your device stays protected from these new threats.