Windows AppLocker Fails

There are really some huge flaws in this system…

To bad actually, because it’s a nice thing!

Let’s show you my setup:

exe rules script rules

So everyone can run executables and scripts signed by my selfsigned codesigning certificate and the juniper ones.
Everyone can execute from %programfiles% and %windows (default rule) and Everyone from a safe directory called “epic tools” on my skydrive.
And 2 file-path exceptions for keepass and onecal…

Almost the same for powershell, with specific hash-rule for my powershellprofile (which can go now because it’s signed by the selfsigned cert)

Anyway, %desktop% is blocked for all normal users.

Bypass Applocker’s PowerShell policy

Let’s try to run a ps1 file located on the desktop.

weird
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\mendel\Desktop\applockertest\helloworld.ps1'"

I noticed this one when running a powershell script and invoking it from rightmouseclick (run with powershell) and used procmon to find the exact launch command…

(The rightmouseclick “run with powershell” is only available in the context menu if you have the “.ps1” extension associated with notepad… WTF)

And of course there are more: http://www.wilderssecurity.com/threads/windows-7-applocker-can-be-bypassed.321479/ , https://www.mountknowledge.nl/2011/01/28/bypassing-windows-applocker-using-vb-script-in-word-and-excel/ .
This one is also nice! http://baileysoriginalirishtech.blogspot.be/2015/06/applocker-schmapplocker.html

Bypass Applocker’s exe policy

Multiple bugs/exploits for this are known. As for example the ones from Casey Smith https://twitter.com/subtee/status/627904214451138560

CaptureI just used Case’s code to PoC this ๐Ÿ™‚ https://github.com/subTee/ShmooCon-2015/blob/master/POC.cs

Basically, just block everything!

Device Guard

A new feature in Windows 10 might be a solution for all of this ๐Ÿ™‚ http://www.malwaretech.com/2015/09/device-guard-beginning-of-end-for.html?m=1

We’ll see, we’ll see…

Advertenties

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit / Bijwerken )

Twitter-afbeelding

Je reageert onder je Twitter account. Log uit / Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit / Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit / Bijwerken )

Verbinden met %s

%d bloggers liken dit: