Applocker: Application Control Policy for Windows Network Protection
Application whitelist is a powerful technology that can protect our computers from unknown malware, but it has never been used. One of the main reasons is that it is difficult to configure and maintain, and the other is that there are quite a number of bypass technologies, so it cannot effectively prevent identified attackers. Today, let's take a look at the built-in windows AppLocker technology, which provides some basic functions for free.
Configuration
First, you need to enable the corresponding service for AppLocker to run.
Operation through GPO:
Computer Configuration →Policies → Windows Settings → System Services
Set the Application Identity service to automatic:
Then configure the application control policy.
In fact, there are two types of white lists available-the previous Microsoft restriction policy and the new AppLocker.
You can use AppLocker to set the following content:
Executable File MSI Installation File Script dynamic link library file (dll)
Then, you need to set allow or deny in the following three cases:
Path -- very simple, must be allowed or denied from the folder. File hash value-it must be allowed or denied based on the file hash. This is not very useful because it needs to calculate the hash file itself, and you cannot stop this MD5 hash without relying on the file itself. The publisher-must be issued based on a digital certificate to allow or reject execution.
You can also set a rule to allow everything except cmd.exe to be stored in C: \ Windows.
Usage
Basically, AppLocker has two methods-either allow only the whitelist or allow all of the blacklists.
Whitelist:
Blacklist:
AppLocker is the most effective additional information source. Even if you do not want to use AppLocker, you can configure and use it in monitoring mode. In this way, you will get information about each executable file, dynamic link library, and script executed on the system:
Hash is hidden in logs of the XML version. However, AppLocker uses SHA256 Authenticode instead of the EXE and DLL hash file, which is useless for us. You cannot see it in VirusTotal or elsewhere.
Multipart
If you want to partition, remember:
You must note that if you set the publisher to Microsoft in the Rules, tools such as Sysinternals are also enabled. You need to monitor the access permissions of the folder when using the path. If anyone can write to a folder that you trust, AppLocker will be bypassed because it has no meaning. If you try to block the execution in the Temporary Folder, AppLocker can do it as required. But it will also break a lot of things for your users, so you need to test it first. You also need to list the software running from the AppData file in a whitelist, such as Dropbox and Chrome. Also, don't forget to block C: \ temp, C: \ ProgramData, recycle bin, and several other writable folders. Personally, I think it takes a lot of work to find out all the software that needs to run from TEMP, but you can try it. The local administrator and AppLocker cannot be used together. If your users have administrator permissions, they can bypass any restrictions you set to add rules to overwrite AppLocker.
Limitations of AppLocker
AppLocker cannot control the running memory.
It cannot control Office macros. It cannot control HTML applications.
The default rules are not as secure as you think. In general, you may think that you cannot write to Windows folders. However, some folders allow you to write data to easily bypass the default rules. Use this script or Sysinternals's accesschk to check the system-accesschk.exe-d-w paranoid C: \ Windows \*
The script is not strictly controlled, so if the interpreter allows running, you can copy and paste the command of the text file and run the script in this way. I did a test on three different machines. Windows 7 does not partition the PowerShell script by default for some reason, and I still don't know why. However, Windows 8.1 can run as scheduled.
Bypass AppLocker
Many AppLocker bypass causes AppLocker to fail:
If you have local administrator permissions, you can add a local rule to allow all tasks to be executed. This will rewrite all domain-based policies.
You can use the writable permission to move the executable file to a location in C: \ Windows. All restrictions and default rules can be bypassed.
You can use HTML applications (HTA ). Here is an example of HTA using PowerShell:
You can use rundll32 to perform various operating system functions mentioned here. You can even use rundll32 to call javascript code and execute arbitrary code. This method is used by the notorious Poweliks malware, and I remember it was first seen that a famous APT team used this method in its own malware. Unfortunately, it cannot be partitioned.
You can directly use the interpreter (the same policy for PowerShell and VBS ):
The memory effective load will not be affected, so if it is not saved to the hard disk, it will not be affected by AppLocker. As a result, attackers can bypass some trusted processes or use reflection injection technology.
Unless you have strict DLL AppLocker rules, you can hijack trusted applications.
There are also some exceptions that require specific. NET applications, which will not be detailed here.
Mitigate Bypass
Some bypasses can be improved through correct Configuration:
Revoke the writeable permissions of users in Windows folders and Program Files, or add all user writeable Files to Exceptions.
To mshta.exe, You can terminate the execution of HTML applications.
If you and your users do not use the powershell.exe,.exe,cscript.exe scripts, it will also be useful to block them, but if necessary, do not, because it may damage the login script or some automated functions. Note that PowerShell can be called directly through any network application, so it also blocks PowerShell dll (C: \ Program Files (x86) \ Reference. Assemblies \ Microsoft \ WindowsPowerShell \ 3.0 \ system.management.automation.dll.pdf or parts the unknown executable file and powershell.exe.
. However, I don't know whether the legal actions will call JavaScript through rundll32.