Bypassing AppLocker Protection by Manipulating Its Cache

hello welcome everyone I'm dragos and uh you are pronouncing my name really really properly if you really prefer I may be Greg for you I'm doing mostly research around windows I'm working every day in a large organization trying to implement a blocker so I started to dig into a blocker finding a lot of interesting things when it comes to a plucker water blocker is kind of a short introduction for you it is one of three ways we have within windows for application white listing because the typical approach we have built into Windows systems we are using everyday on our desktops just by default it is we have kind of an anti-malware antivirus however we call it trying to block

malicious actions especially trying to block you from running well-known malware so if you download the malware to your machine try to run it probably something will pop up saying it is not allowed to be run it is a typical black listing approach telling you it is not allowed because we know it is bad whitelisting approach is totally different it is different Paradigm telling you you can run only what you have allowed previously and in Windows we have three ways of doing this the very first for his historically saying is SRP software restriction policies being built into Windows XP SRP is not the smartest thing because it relies on the Explorer and the Explorer is your

process so you can manipulate the process trying to enforce you from running an unwanted processes so it is not that effective in practice it's easily hacked by the way one of the most known applications being used for bypassing SRP is a tiny program called GP disable written by Mark russinovich after Mark russinovich joined Microsoft this program magically disappeared from the internet you cannot find it anyway right now we have two possibilities it is a blocker being built into Windows starting from Windows 7 if I'm right and we have Windows Defender application control they're working I can say in parallel on different levels a blocker is definitely more user friendly when you have to manage it

wdac is protecting you better but the overall landscape is not only about the technical possibilities of the solution but about friendliness knowledge of Administrators and so on the whole landscape I'm more Pro applocker I would say even if WDC is better when it comes to the pure technology when it comes to a blocker uh we have a couple of components working within a blocker so we have a Management console absolutely absent in WDC by the way we have graphical interface I will show you in a moment we have some Powershell we have some special service the service must be run to have your whitest thing working which is apply dsvc we have some kernel driver

doing some magic with tokens for example and we have a login component and right now I can show you a couple of things on this camta blocker not yet about the hash but we are going closer here I can see the blocker lock I can see couple of entries um being I will return to them in a moment when it comes to the management there is a sec pull.msc console when you can Define under security setting application control policies and applocker for the app Locker you define what you are trying to do on different levels because you can perform with this thing on executable files on Windows installer MSI files so scripts and appx files actually dot exe typical

executables are the most common and resemble it would be great to include dlls here as well you have to enable it on this page to enforce the dlls as well for every single single category you have a possibility to pick the right way of protecting your machines because because we can work into modes in the audit mode and the enforcement mode in the enforcement mode if something is not allowed it will simply not run that there will be a default kind of a message telling your user it is not allowed your user when we work in the audit only mode um everything is allowed to be run but we can see what we see over here for

example for this working warning if I see it I can see there was something in temp this host some automated stuff being done within Windows not being whitelisted and I have warning because it was allowed to be run but if we play seriously it would be blocked okay so I have two rules defined over here um just for demonstration purposes the first rule is based on the path if something is within C program files then it's allowed to be run the second rule is if something is within uh C Windows it is allowed to be run because a regular user cannot drop in most cases let's say an executable file there so if a file is within one of

those paths it means an admin did it so it is legitimate by by the location I would say automatically because it stays here so I do not have to manage hundreds or even thousands of different executable files because I have created those two rules for paths and it is perfectly enough so if I run something let's say from my from my desktop okay it's wrong console this is the right one uh there I have an application called Write IAA writing 100 a letters you will show in a moment why this application is run from my desktop which is obviously not program files and not windows so if I do F5 I can see a warning it would be

blocked if you play seriously a blocker detected in and warned us okay and so you can see a blocker is trying to register every single executable file being run but there are some interesting cases over here because I have written a tiny dll file actually dll files can contain the same type of executable code as we have within.exe files but we have no dll rules being defined here so I will load my dll you can see there is my dll called ignoreapplocker.dll and I will load it use it using run the editor 2. run the other territor ignore applocker.dll at the method is called do it C windows system seemed easy and the new CMD appeared

it is very special CMD because if I do who am I slash all I will see I'm acting here as a system actually this dll is feeling that token from one of the services and is launching a new process I have specified in the path over here on the stolen token so I have a stone token from system and what is most important over here and the tokens stolen from the service contains within its data a very special seed telling clearly it is a service it is a seat s156 if a blocker sees such seed in the token it totally ignores such process so I run around the l32 as a regular user CMD was

launched as a my special service user on the special stolen token who am i.exe also an application was launched on this token as well if I launch something from a desktop which is clearly not allowed let's go here and I will pick uh one of the applications right AAA is not a bad example shift right click shift right click copy as path now I can paste Ctrl V it was run not a big surprise I here in the audit mode but when I look into the event log I can see the last thing here is run dll was allowed to be run this is right IAA but from the my previous run this one is the freshest

one it is 306 this it is the moment I have around dll running everything happening next from my second window was totally absent in the app locker lock it was totally it would be totally absent if applocker really enforces me and trying to block some application so if s156 appears within the process token such token in such process is totally ignored by a blocker there is one thing more but it is documented so it's not that funny because if you have a API function create restriction token under parameters you have a sandbox einert parameter saying clearly control scroll saying clearly it will be ignored by a blocker this flag disables checks for a blocker but it's not that funny

because it's documented and the previous one is not documented at all so we can bypass a blocker by manipulating the token it is the first case okay when you create your rules for a blocker you have actually three possibilities I will go here this is the console I need create a new rule and you have three possibilities for creating a rule first through the wizard you have to specify this alert or or didn't I please do not create the deny rules applocker is about allowing so deny rules are pointless um here we can specify a user which is a great advantage of applocker over wdac because we can specify the special group this group is allowed to run everything

and if we pick if we put a user into the group this user magically can run anything if you remove a user from this group of course after creating a new token which requires log off logon and so on but we can manage easily who can run everything anyway when you create a rule you have three possibilities we can rely on digital signatures uh publisher here we can rely on path it is what I did for program files and windows and we can rely on a file hash for a file hash um I will browse files I will pick my right IAA my simple application write AAA open create and now I have a rule

based on the half of this write AAA file so if the hash of the file matches executable file is allowed to be run if it does not match it will be not allowed at least not by by this row if I right now I will close this console at this as this one is ignored anyway if right now I will run right again within the event log not the big surprise I will see right IA was allowed to be run you don't have a rule specifying its half so what I'm I will do right now I cannot easily plug in and plug plug out a an external drive into my virtual machine but I can create a vhd file and

detach and attach it allowing me to manipulate the data on that drive in a physical way so I will attach a vhd file to my VM see temp X vhdx X Drive will appear I will copy copy right IAA into X drive I will run it X right IAA it will run as everything runs here in the event log not the big surprise X right IAA was allowed to run as the hash is the hash perfectly well Allowed by the a blocker so what I will do right now I will detach the drive digital vhd yep I want to detach it I will open it with hex editor uh which I have on the desktop which is

yet an another one applications to be allowed by the way I will open it X vhdx Ctrl f AAA does not matter there but you can see it it is here this is probably at least some of you did in the past hacking applications display your name instead of the legitimate developer name if you run an application it's exactly the same level of advances I'm doing here I will replace couple of a letters with dots now I will save it I will close it and I will attach it again vsd C temp x v h d x the X Drive appeared I'm here X right IAA not the big surprise you can see those dots I have manipulated on the

physical level on the drive but was it allowed to be run or not from the security perspective the answer should be really simple it should be never allowed to be run F5 from the applocker perspective it was allowed to be run this warning is about my hex editor just to let you know but the right AAA the manipulated one one was perfectly well allowed so let's try to figure out what is going over here so I will run Powershell power shell Double L will work better get get file hash for my right a on the desktop it is d355 at the beginning schwa256 I get file hash X right AAA totally different not the big surprise I

have manipulated the file so it must be different but a blocker allowed it so what is the applocker policy get a broker a policy local I will put it this way and Dot to XML this is the applocker policy and here you can see the information within the app Locker policy the rule and as you can hopefully see the hash is yet another different it's not this one not this one all those three are three to five six but there are totally different ones so what is going on here the very first thing when it comes to hashes is a blocker is saying it's strato56 but it's lying it is not strato56 it is not clearly documented

what applocker is using here but if we dig deeper we can realize the harsh matches so called authentic code hash there is a well-documented algorithm invented probably by Microsoft if I'm right for creating hashes for executable files it is commonly used for digital signatures in practice and applocker is using it here not telling you it is using it it is lying it is strato56 which is not the truth at all there is an undocumented algorithm here you can specify a schwa256 flat as an algorithm there is no single mention in the documentation about this and then you can use strato56 the real strato56 anyway a broker is telling you something else about harshers but still the hush for

this file I have manipulated must be different so again what is going on here I will use I will launch console as an admin and I will use a built-in fsutil um command fsutil is one of my favorite commands in Windows it is a command being constantly managed and updated by the team responsible for the file system for the NFS file system so if you can do some magic with NTFS file system fsutil probably is the right tool FS util file a query a a is querying for extended attributes files within NTFS file system can have so-called extended attributes you can think about extended attributes like if you are familiar with altered data streams extended attributes are

kind of like alternate data streams on steroids they are slightly different but the purpose is somehow similar so there is kind of a metadata you can attach to any single file within device system it may be it may have some name it may be different length it is just a metadata kind of an attribute to a file called a a which means extended attribute if I display the extended attribute for my right IAA file I can see those are extended attributes of my right AAA and here the the last one is the long one is not that interesting in this case but this one uh very interesting it is called dollar kernel Purge app ID hash info and you

can see if you look close this 6E 38 and so on and so on is exactly here it is the same piece of the data it is the hash of the file the applocker version of the hash being stored as an external attribute extended attribute of a file and how a blocker Works a blocker does not calculate the hash every single file run it would be time consuming it will be too expensive in terms of computation storage operation etc etc so at the first run this extended attribute is created it contains the applocker hash of the file and during next runs only the cached hash is being verified what does it mean if I manipulate the

file on the Hardware level which I did using hex editor on my vhdx file the hash is not being updated and a Blocker still relies on the hash even if the hash does not actually match the file so I can manipulate The Flash and applocker believes it's cache instead of real file content when it comes to such extended attributes again some documentation exists it is here about kernel extended attributes about two interesting things here I will scroll a bit to find the information which I want to show you is about dollar kernel.part actually if the extended attribute name starts with the dollar kernel it is a kind of a flag for the NTFS driver only kernel code can

create such extended attribute so I cannot create a dollar kernel something something on my own if my code is running in the user mode and not in the kernel mode but perch means if the file is being touched exactly saying any of those operations is being performed then an entire attribute must be removed automatically by the NTFS driver it is why the hash is good enough if I manipulate the file the typical the standard way but if I manipulate the drive which is plugged off of my machine there is no way NTFS driver will realize what I'm actually doing so it is how it is working so applocker relies on this hash and if we are smart

enough digging deeply enough in the structure we can manipulate the data without being noticed by the ntfs.driver so the the attribute is not being automatically removed if I edit this file traditionally of course this extended attribute will disappear and during next run a blocker will recalculate the hash from the new file maybe the same one but it will recalculated and it will put it into the extended attribute there is interesting thing over here because there is a clear proof that a plucker trying to allow or disallow a DOT exit file from being run realize on its cache being on its hash being cached but we have also uh a special command called Tesla blocker policy which is a commandlet in the

Powershell uh asking a blocker what a blocker would said say about this file if we try to run so I will put this XML file into a file and let's call it xml.txt out file out file xml.txt so now I have my applocker policy safe into pxe file because the next command and the command test applocker policy requires a file to be specified test app Locker policy requires XML policy um to be specified so it is test a boss XML txt thank you and it requires another parameter which is path let's say it is about right IAA here and on the legitimate file it will say it is allowed it is policy decision allowed because we have a matching row called

Write a this is the name of the rule as well so it is saying based on this rule we will allow this file to be run if I do the same on the X drive and my manipulated content you will see it will be denied by default because applocker relies on the cache and test a blocker policy command relies on the real file content just to make it consistent and look more Microsoft this way and so Please be aware that such manipulations are possible only if you have a physical access to the drive because it's not something end user can do it can do easily even attaching detaching vhd file is not something allowed for the end

user uh easily because it requires some privileges a typical user does not have but when it comes to the USB drive being plugged out and plugged in then we are on the good side and we can try to manipulate it maybe hashes and such manipulations are not that common but we are still on the right by uh right path I would say instead of manipulating the file content which has a very limited practical applications um but clearly proving my idea we can write an attribute to an existing file so um I will exit from Powershell I will run my pounding applications it is working if I go for a blocker policy F5 you can see this application was

detected as unwanted right now is allowed to be run but if you play seriously it would not so if I know I have some hash based rule I can try to play with this as well so I will copy it to the X drive as manipulation of the on the X Drive I easier copy um my X Drive X primary application was around but it would not be allowed to run if we play seriously which is clearly stated xpwn was allowed but would have been prevented from running and I know I have um my hash being prepared and within my policy I will copy the hash from here it is the easiest place to take the hash in

its uh at the perform I can try to create an extended attribute on a file which already exists my xpwm I cannot create what Microsoft documentation says I cannot create dollar kernel something something but I will do a dirty trick over here I will create an attribute called hash kernel something something and then I will rename it offline which will be easier so here I have my set a blocker hashcash application it requires a file name and the hash so it is setup Locker X pwn and the hash I have just copied he ah it's on my X drive he already has so I will Ex pwn and I will call P pwn from the desktop the X drive my application

is protecting is uh uh not allowing you to create a hash the extend that will which already exists the X drive right now it does not have the uh extended attribute I can clearly prove it by FSU till file query a a x pwn no standard attributes so I will do a command line magic watch carefully F7 and I will use a history and now it was planted over here with the name dollar kernel which I need to change a hash kernel I need to change the dollar kernel I will do this offline by um detection VG Drive yes by running my hex editor again on the same file Ctrl H Ctrl H or Ctrl R control R search for

dollar kernel dot Purge dot into the hash sorry for hash changing to Dollar kernel dot Purge dot replace all couple of occurrences will be replaced okay save and close and attach a file again action at ADV

but the first one was hash kernel the second one was dollar kernel um a c temp x v h d x will be attached and right now if I do the same command I use a moment ago for displaying uh we had no extended attributes after fsutil file Courier a we had no extended attributes right now F7 and FSU till and so on I have it added by an application and then renamed to Dollar kernel per trap ID hashing phone by my physical Drive data manipulation by raw disk access so if I run xpwn right now it is running but the true will stick out out from the event log it was allowed to be

run as applocker realize only on it has so I can plan a hash a cache of the hash on an existing file if I want however I cannot directly name it dollar kernel that is not allowed by user mode and I I'm running my applications from the user mode obviously

foreign when I have a possibility to manipulate on the offline Drive probably yes

if I am creating an extended attribute using ntfs.sys driver dollar kernel prefix is not allowed if I'm manipulating the data offline under ntfs.driver there is no such restriction I hope it answers your question so I can plant a fake cash information on an existing file I have also a copy I can also copy and [Music] um existing set of extended attributes from one file to another one I have a tiny application copy AAS I can specify source file and the destination file and I will simply copy everything so I can plant a hash cache or I can copy everything because if yeah if I do let's see CMD should be great example FSU till um

file where a a c Windows Cemetery tool cmd.exe you can see this is a different one I will show it on the right IAA as my right IA application is digitally signed my applications so the same comment but not on the SC Windows which is a slightly different way manage when it comes to the signatures right AAA you can see there is a lot of information the first one Aid one is about the um hash cache the second one here it is called clearly called signer info it is identified by aid3 and this a cached information of the digital signature being planned on this file so theoretically you can also play with digital signatures uh hash as digital

signature is not verify every single file run it is also being used from the cache so we have some possibility to to manipulate this um typically I hear two very common questions to the reasonable questions when it comes to such directly plays with a blocker hash cash the first one can we manipulate it the same way not on the file image but on the CD image the answer is no because on the CD image we have cdfs file system and not ntfsi system it is totally different file system so we cannot do this which is great news for Defenders as a regular user cannot Mount vhd file can plug in the physical drive if it's allowed by policies but typical

user can amount.iso file with the CD image but it will not work for the isofits another question I hear sometimes is about WDC Windows Defender application control what about WDC and the answer is wdac relies on such uh cash as well of course those attributes are named slightly differently but at the same time wdac does not want to use cash from the external drives it relies only on the cached information from the system Drive so you cannot plug in the falsified drive you have to plug out the C drive manipulate it offline or by running from some uh bootable USB whatever and then WDC will rely on this information properly so it is theoretically possible

at the same time if you can manipulate the drive content offline for the C drive you own this system anyway you can do anything you want so manipulating the the cache for the something something to have one application allowed to be run is definitely Overkill if you can do anything if you have and offline access okay when it comes to shift five resources I used to share my source code for those applications my research Etc this QR code if you really want is just the set of links being provided in a form you can use on your phone on your device instead of typing in especially the last link is Type in Friendly so you have them handy

if you want you can also scan my screen later on um when it comes to a blocker I try to show you its imperfections and it is how I call it it's about imperfections it's applocker worth using yes definitely yes it really Rises the bar for bad guys even if it's not 100 effective it is rising the bar so you have a huge advantage using it the good news and it is a kind of fresh news is like two months old so comparing to the history of apoca is really new applocker starting this February is allowed to be run on Windows 10 Pro previously it was allowed to be run only on Windows 10 Enterprise and on servers

which clearly limits its potential in Practical scenarios right now you can launch and manage a Blocker in Windows Pro as well when it comes to Performance well you will clearly see it is not affecting performance if you run it in the audit mode so so you can turn audit mode literally audit mode literally today and observe what will happen in your log for that blocker and then try to narrow down rules to allow what you want to allow and then switch it to them and form enforcement mode and raise the bar for bad guys and make your systems better protected that's basically it thank you very much [Applause] thank you Greg that was awesome great presentation thank you thank you

does anybody have any question comments remarks that they would like to make

[Music] okay so since the user can can mount an ISO image you can theoretically do the same thing to the iso image right I saw image uses different file system is using cdfs which does not have extended attributes okay so it is impossible to be done with ISO image is this possible using say uh and USB yes yes when you format USB to ndfs and manipulate it this way it is possible for USB yet another reason to block unwanted USB devices so so you can still send them if you have the hash you can send them USB they will run it from the USB and they will be able to to bypass the app Locker right

theoretically yep I can imagine this okay okay thanks welcome any other question going once going twice okay great speech uh I have just a quick question uh most of us it security guys know that app Locker can be run as a local user so what are the exceptions in this case if we have configured app locker from the admin permissions or admin sites so what can be done using local user permission in this case uh well if you are a local user by passing a locker a blocker will be not that easy if system is up to date and fully passed in the past we had like a Sandbox einert flag which could be used

by end user in the past but right now you cannot seal the token from the service which I did it requires admin permissions particularly as a debug privilege on the uh within the token of the attacker so you must be an admin already for end user you can try to download potentially malicious dll if dlls are not white listed because dll can contain the same maliciousness of the code AS executable file and trust me even if companies are implementing but a bit like a blocker they are leaving dll white listing for the next stage in the future this is how they do this so if you are a bad guy put your stuff into dll and then run your

dll using kind of a site loader for data starting from an ideal level 32 which is perfectly allowed or like SRV or some other system applications loading arbitrary dlls and put your code into dll it is what I was advice to bad guys but well if You observe this closely probably you will realize something wrong is going on and at the same time still it is well worth implementing a blocker because you're raising the bar even if it's not 100 successful thank you

any other question Gregory thank you