Tuesday, November 10, 2015

Your Whitelisting Application Has No Clothes

I am not entirely sure that I am communicating this accurately.  So here goes another simple attempt...

Whitelisting applications, that prescribe to the Microsoft best practice for intercepting and blocking executable file execution have a GAPING hole.  That hole is .NET loading of assemblies via reflection.

http://download.microsoft.com/download/4/4/b/44bb7147-f058-4002-9ab2-ed22870e3fe9/Kernal%20Data%20and%20Filtering%20Support%20for%20Windows%20Server%202008.doc

Page 18...



Signed Microsoft binaries that load assemblies via reflection such as InstallUtil, Regsvcs, and RegAsm do not follow the pattern that most Whitelisting applications are expecting.

What this means is that your whitelisting application MISSES execution event by these tools.

I have tested multiple tools and they ALL miss this type of execution.

What I am not saying, is Whitelisting is bad.  I am saying this is a tremendous gap in the ability to detect execution events.

Windows 10 with UMCI and Device Guard seems to be able to detect and prevent this sufficiently.

So. again... If you are whitelisting as a defense, please be wary of .NET applications that can load executables as READ and later change permissions to EXECUTE...

That is all...

Cheers,

Casey
@subTee


Monday, November 9, 2015

All-Natural, Organic, Free Range, Sustainable, Whitelisting Evasion - Regsvcs and RegAsm

I am a big fan of "Living off the Land".  Using only native default tools to accomplish objectives.

Recently I stumbled on another Whitelisting Bypass Trick. Its actually in the same class as "Trusted Things that Execute Things".  But its a new toolset and requires slight modification to get execution.

Introducing Regsvcs.exe and RegAsm.exe.  Both are part of a default .NET install, and signed by Microsoft. Sound familiar?

First these two tools are used to register .NET COM assemblies, but remember, we don't really care about their original intent.

What I found was these applications typically require admin rights to perform the necessary installation and registration.  However, there is a catch. Using some C# Attributes we can influence the execution, EVEN if we don't have admin rights.

[ComRegisterFunction] & [ComUnregisterFunction] These two attributes specify code that can run before registration/unregistration (o_O).  All we need to do is present these applications with an assembly with these attributes and it will happily execute our code for us



You will need to create a Strong Name Key (snk) in order to get this to work, but thats trivial.

This technique will work even if the file has been explicitly banned, and even if DLL whitelisting is enabled. The reason is, the dll is executed via reflection, and the whitelisting apps never receive notification of an execute event...

I put a sample here:

https://gist.github.com/subTee/fb09ef511e592e6f7993

So, thats it really. Simply compile and execute your dll and run it as a guest of RegAsm or Regsvcs.

These files are already installed on any workstation/server with .NET Framework.

I'm sure there are more like this. But this pattern seems to be working quite well for me.

This may be just the technique needed for someone to gain an initial foothold.


It is my opinion that this bypass method has ramifications beyond just Whitelisting Apps...

Thats all I got today...

Cheers

Casey
@subTee