![]() ![]() What is Microsoft going to do about it?Ībsolutely nothing. Graeber and Nelson have created a PoC PowerShell script that performs the attack. Naturally, to do all that, the machine first has to be infected with malware that is capable of performing this attack. The result? Malicious code execution in a high integrity context. The dismhost.exe loads the malicious DLL instead of the legitimate one, and UAC doesn’t spring into action. ![]() They identified the last DLL ( LogProvider.dll) loaded by dismhost.exe, then used a WMI event to monitor for the creation of the aforementioned folder and to exchange the legitimate LogProvider.dll with a malicious one created by them and given the same name. “Because the current medium integrity user has write access to the user’s %TEMP% directory, it is possible to hijack a DLL loaded by dismhost.exe and obtain code execution in a high integrity process,” the researchers noted. The process ( cleanmgr.exe) started by the task creates a new folder, and populates it with multiple DLLs and another process ( dismhost.exe) that loads them in a specific order. That’s because SilentCleanup on Windows 10 is configured “to be launchable by unprivileged users but to run with elevated/high integrity privileges.” How is the attack executed?īy modifying a default scheduled task (“SilentCleanup”) associated with the Disk Cleanup utility, they were able to trigger the running of a specially crafted DLL file without triggering UAC. UAC is a technology that’s meant to improve the security of the OS by preventing software – or, more importantly, malware – to run with administrative privileges unless explicitly authorized to do so by the user. Security researchers Matt Graeber and Matt Nelson have discovered a way to run a malicious DLL on Windows 10 without the User Account Control (UAC) springing into action and alerting users of the potential danger. ![]()
0 Comments
Leave a Reply. |