Bypassing AppLocker protection by manipulating its cache - Grzegorz Tworek

hello welcome everyone I'm dragos and uh you are pronouncing my name really really properly if you really prefer I may be Greg for you I'm doing mostly research around windows I'm working every day in a large organization trying to implement a blocker so I started to dig into a blocker finding a lot of interesting things when it comes to a plucker water blocker is kind of a short introduction for you it is one of three ways we have within windows for application white listing because the typical approach we have built into Windows systems we are using everyday on our desktops just by default it is we have kind of an anti-malware antivirus however we call it trying to block malicious actions especially trying to block you from running well-known malware so if you download the malware to your machine try to run it probably something will pop up saying it is not allowed to be run it is a typical black listing approach telling you it is not allowed because we know it is bad whitelisting approach is totally different it is different Paradigm telling you you can run only what you have allowed previously and in Windows we have three ways of doing this the very first for his historically saying is SRP software restriction policies being built into Windows XP SRP is not the smartest thing because it relies on the Explorer and the Explorer is your process so you can manipulate the process trying to enforce you from running an unwanted processes so it is not that effective in practice it's easily hacked by the way one of the most known applications being used for bypassing SRP is a tiny program called GP disable written by Mark russinovich after Mark russinovich joined Microsoft this program magically disappeared from the internet you cannot find it anyway right now we have two possibilities it is a blocker being built into Windows starting from Windows 7 if I'm right and we have Windows Defender application control they're working I can say in parallel on different levels a blocker is definitely more user friendly when you have to manage it wdac is protecting you better but the overall landscape is not only about the technical possibilities of the solution but about friendliness knowledge of Administrators and so on the whole landscape I'm more Pro applocker I would say even if WDC is better when it comes to the pure technology when it comes to a blocker uh we have a couple of components working within a blocker so we have a Management console absolutely absent in WDC by the way we have graphical interface I will show you in a moment we have some Powershell we have some special service the service must be run to have your whitest thing working which is apply dsvc we have some kernel driver doing some magic with tokens for example and we have a login component and right now I can show you a couple of things on this camta blocker not yet about the hash but we are going closer here I can see the blocker lock I can see couple of entries um being I will return to them in a moment when it comes to the management there is a sec pull.msc console when you can Define under security setting application control policies and applocker for the app Locker you define what you are trying to do on different levels because you can perform with this thing on executable files on Windows installer MSI files so scripts and appx files actually dot exe typical executables are the most common and resemble it would be great to include dlls here as well you have to enable it on this page to enforce the dlls as well for every single single category you have a possibility to pick the right way of protecting your machines because because we can work into modes in the audit mode and the enforcement mode in the enforcement mode if something is not allowed it will simply not run that there will be a default kind of a message telling your user it is not allowed your user when we work in the audit only mode um everything is allowed to be run but we can see what we see over here for example for this working warning if I see it I can see there was something in temp this host some automated stuff being done within Windows not being whitelisted and I have warning because it was allowed to be run but if we play seriously it would be blocked okay so I have two rules defined over here um just for demonstration purposes the first rule is based on the path if something is within C program files then it's allowed to be run the second rule is if something is within uh C Windows it is allowed to be run because a regular user cannot drop in most cases let's say an executable file there so if a file is within one of those paths it means an admin did it so it is legitimate by by the location I would say automatically because it stays here so I do not have to manage hundreds or even thousands of different executable files because I have created those two rules for paths and it is perfectly enough so if I run something let's say from my from my desktop okay it's wrong console this is the right one uh there I have an application called Write IAA writing 100 a letters you will show in a moment why this application is run from my desktop which is obviously not program files and not windows so if I do F5 I can see a warning it would be blocked if you play seriously a blocker detected in and warned us okay and so you can see a blocker is trying to register every single executable file being run but there are some interesting cases over here because I have written a tiny dll file actually dll files can contain the same type of executable code as we have within.exe files but we have no dll rules being defined here so I will load my dll you can see there is my dll called ignoreapplocker.dll and I will load it use it using run the editor 2. run the other territor ignore applocker.dll at the method is called do it C windows system seemed easy and the new CMD appeared it is very special CMD because if I do who am I slash all I will see I'm acting here as a system actually this dll is feeling that token from one of the services and is launching a new process I have specified in the path over here on the stolen token so I have a stone token from system and what is most important over here and the tokens stolen from the service contains within its data a very special seed telling clearly it is a service it is a seat s156 if a blocker sees such seed in the token it totally ignores such process so I run around the l32 as a regular user CMD was launched as a my special service user on the special stolen token who am i.exe also an application was launched on this token as well if I launch something from a desktop which is clearly not allowed let's go here and I will pick uh one of the applications right AAA is not a bad example shift right click shift right click copy as path now I can paste Ctrl V it was run not a big surprise I here in the audit mode but when I look into the event log I can see the last thing here is run dll was allowed to be run this is right IAA but from the my previous run this one is the freshest one it is 306 this it is the moment I have around dll running everything happening next from my second window was totally absent in the app locker lock it was totally it would be totally absent if applocker really enforces me and trying to block some application so if s156 appears within the process token such token in such process is totally ignored by a blocker there is one thing more but it is documented so it's not that funny because if you have a API function create restriction token under parameters you have a sandbox einert parameter saying clearly control scroll saying clearly it will be ignored by a blocker this flag disables checks for a blocker but it's not that funny because it's documented and the previous one is not documented at all so we can bypass a blocker by manipulating the token it is the first case okay when you create your rules for a blocker you have actually three possibilities I will go here this is the console I need create a new rule and you have three possibilities for creating a rule first through the wizard you have to specify this alert or or didn't I please do not create the deny rules applocker is about allowing so deny rules are pointless um here we can specify a user which is a great advantage of applocker over wdac because we can specify the special group this group is allowed to run everything and if we pick if we put a user into the group this user magically can run anything if you remove a user from this group of course after creating a new token which requires log off logon and so on but we can manage easily who can run everything anyway when you create a rule you have three possibilities we can rely on digital signatures uh publisher here we can rely on path it is what I did for program files and windows and we can rely on a file hash for a file hash um I will browse files I will pick my right IAA my simple application write AAA open create and now I have a rule based on the half of this write AAA file so if the hash of the file matches executable file is allowed to be run if it does not match it will be not allowed at least not by by this row if I right now I will close this console at this as this one is ignored anyway if right now I will run right again within the event log not the big surprise I will see right IA was allowed to be run you don't have a rule specifying its half so what I'm I will do right now I cannot easily plug in and plug plug out a an external drive into my virtual machine but I can create a vhd file and detach and attach it allowing me to manipulate the data on that drive in a physical way so I will attach a vhd file to my VM see temp X vhdx X Drive will appear I will copy copy right IAA into X drive I will run it X right IAA it will run as everything runs here in the event log not the big surprise X right IAA was allowed to run as the hash is the hash perfectly well Allowed by the a blocker so what I will do right now I will detach the drive digital vhd yep I want to detach it I will open it with hex editor uh which I have on the desktop which is yet an another one applications to be allowed by the way I will open it X vhdx Ctrl f AAA does not matter there but you can see it it is here this is probably at least some of you did in the past hacking applications display your name instead of the legitimate developer name if you run an application it's exactly the same level of advances I'm doing here I will replace couple of a letters with dots now I will save it I will close it and I will attach it again vsd C temp x v h d x the X Drive appeared I'm here X right IAA not the big surprise you can see those dots I have manipulated on the physical level on the drive but was it allowed to be run or not from the security perspective the answer should be really simple it should be never allowed to be run F5 from the applocker perspective it was allowed to be run this warning is about my hex editor just to let you know but the right AAA the manipulated one one was perfectly well allowed so let's try to figure out what is going over here so I will run Powershell power shell Double L will work better get get file hash for my right a on the desktop it is d355 at the beginning schwa256 I get file hash X right AAA totally different not the big surprise I have manipulated the file so it must be different but a blocker allowed it so what is the applocker policy get a broker a policy local I will put it this way and Dot to XML this is the applocker policy and here you can see the information within the app Locker policy the rule and as you can hopefully see the hash is yet another different it's not this one not this one all those three are three to five six but there are totally different ones so what is going on here the very first thing when it comes to hashes is a blocker is saying it's strato56 but it's lying it is not strato56 it is not clearly documented what applocker is using here but if we dig deeper we can realize the harsh matches so called authentic code hash there is a well-documented algorithm invented probably by Microsoft if I'm right for creating hashes for executable files it is commonly used for digital signatures in practice and applocker is using it here not telling you it is using it it is lying it is strato56 which is not the truth at all there is an undocumented algorithm here you can specify a schwa256 flat as an algorithm there is no single mention in the documentation about this and then you can use strato56 the real strato56 anyway a broker is telling you something else about harshers but still the hush for this file I have manipulated must be different so again what is going on here I will use I will launch console as an admin and I will use a built-in fsutil um command fsutil is one of my favorite commands in Windows it is a command being constantly managed and updated by the team responsible for the file system for the NFS file system so if you can do some magic with NTFS file system fsutil probably is the right tool FS util file a query a a is querying for extended attributes files within NTFS file system can have so-called extended attributes you can think about extended attributes like if you are familiar with altered data streams extended attributes are kind of like alternate data streams on steroids they are slightly different but the purpose is somehow similar so there is kind of a metadata you can attach to any single file within device system it may be it may have some name it may be different length it is just a metadata kind of an attribute to a file called a a which means extended attribute if I display the extended attribute for my right IAA file I can see those are extended attributes of my right AAA and here the the last one is the long one is not that interesting in this case but this one uh very interesting it is called dollar kernel Purge app ID hash info and you can see if you look close this 6E 38 and so on and so on is exactly here it is the same piece of the data it is the hash of the file the applocker version of the hash being stored as an external attribute extended attribute of a file and how a blocker Works a blocker does not calculate the hash every single file run it would be time consuming it will be too expensive in terms of computation storage operation etc etc so at the first run this extended attribute is created it contains the applocker hash of the file and during next runs only the cached hash is being verified what does it mean if I manipulate the file on the Hardware level which I did using hex editor on my vhdx file the hash is not being updated and a Blocker still relies on the hash even if the hash does not actually match the file so I can manipulate The Flash and applocker believes it's cache instead of real file content when it comes to such extended attributes again some documentation exists it is here about kernel extended attributes about two interesting things here I will scroll a bit to find the information which I want to show you is about dollar kernel.part actually if the extended attribute name starts with the dollar kernel it is a kind of a flag for the NTFS driver only kernel code can create such extended attribute so I cannot create a dollar kernel something something on my own if my code is running in the user mode and not in the kernel mode but perch means if the file is being touched exactly saying any of those operations is being performed then an entire attribute must be removed automatically by the NTFS driver it is why the hash is good enough if I manipulate the file the typical the standard way but if I manipulate the drive which is plugged off of my machine there is no way NTFS driver will realize what I'm actually doing so it is how it is working so applocker relies on this hash and if we are smart enough digging deeply enough in the structure we can manipulate the data without being noticed by the ntfs.driver so the the attribute is not being automatically removed if I edit this file traditionally of course this extended attribute will disappear and during next run a blocker will recalculate the hash from the new file maybe the same one but it will recalculated and it will put it into the extended attribute there is interesting thing over here because there is a clear proof that a plucker trying to allow or disallow a DOT exit file from being run realize on its cache being on its hash being cached but we have also uh a special command called Tesla blocker policy which is a commandlet in the Powershell uh asking a blocker what a blocker would said say about this file if we try to run so I will put this XML file into a file and let's call it xml.txt out file out file xml.txt so now I have my applocker policy safe into pxe file because the next command and the command test applocker policy requires a file to be specified test app Locker policy requires XML policy um to be specified so it is test a boss XML txt thank you and it requires another parameter which is path let's say it is about right IAA here and on the legitimate file it will say it is allowed it is policy decision allowed because we have a matching row called Write a this is the name of the rule as well so it is saying based on this rule we will allow this file to be run if I do the same on the X drive and my manipulated content you will see it will be denied by default because applocker relies on the cache and test a blocker policy command relies on the real file content just to make it consistent and look more Microsoft this way and so Please be aware that such manipulations are possible only if you have a physical access to the drive because it's not something end user can do it can do easily even attaching detaching vhd file is not something allowed for the end user uh easily because it requires some privileges a typical user does not have but when it comes to the USB drive being plugged out and plugged in then we are on the good side and we can try to manipulate it maybe hashes and such manipulations are not that common but we are still on the right by uh right path I would say instead of manipulating the file content which has a very limited practical applications um but clearly proving my idea we can write an attribute to an existing file so um I will exit from Powershell I will run my pounding applications it is working if I go for a blocker policy F5 you can see this application was detected as unwanted right now is allowed to be run but if you play seriously it would not so if I know I have some hash based rule I can try to play with this as well so I will copy it to the X drive as manipulation of the on the X Drive I easier copy um my X Drive X primary application was around but it would not be allowed to run if we play seriously which is clearly stated xpwn was allowed but would have been prevented from running and I know I have um my hash being prepared and within my policy I will copy the hash from here it is the easiest place to take the hash in its uh at the perform I can try to create an extended attribute on a file which already exists my xpwm I cannot create what Microsoft documentation says I cannot create dollar kernel something something but I will do a dirty trick over here I will create an attribute called hash kernel something something and then I will rename it offline which will be easier so here I have my set a blocker hashcash application it requires a file name and the hash so it is setup Locker X pwn and the hash I have just copied he ah it's on my X drive he already has so I will Ex pwn and I will call P pwn from the desktop the X drive my application is protecting is uh uh not allowing you to create a hash the extend that will which already exists the X drive right now it does not have the uh extended attribute I can clearly prove it by FSU till file query a a x pwn no standard attributes so I will do a command line magic watch carefully F7 a