3. Profile
Speaker
• OWASP DAY 2014
• July Tech Festa 2015, 2017
• AVTOKYO2016
• Financials ISAC Japan Conference 2018
Writing
• Software Design
CODE BLUE 2018 3
4. Background
I have done penetration tests at many companies,
and I’ve Windows security functions at
each company.
CODE BLUE 2018 4
5. Things to inform in this session
is not always detected and blocked, so I
wanted to say that it’s important to only not enable
security functions, but to implement multilayered defense,
such as strengthening monitoring.
CODE BLUE 2018 5
6. Penetration Test
We suppose the scenario, and test from the point of
intrusion into servers and network devices.
Firewall
Attack from internet
Inside Jobs
Take over
Attack
・ what kind of authority
・ what we can do
Impact
CODE BLUE 2018 6
7. The Penetration Test scenarios
There are cases where we investigate whether or not we
can intrude servers assuming malware infection caused by
Advanced Persistent Threats (APTs).
Firewall
PC & Domain User Tester
User SegmentServer Segment
IPS
Access
Internet
Tester
Access
CODE BLUE 2018 7
8. View of attacker
In APTs, since an attacker with a clear intention and purpose
intends to steal information from a specific organization, we
assume that even if there are restricted by security functions, they
will bypass and accomplish their purpose.
authentication and intrude
security function restrictions
..etc
CODE BLUE 2018 8
9. View of attacker
In APTs, since an attacker with a clear intention and purpose
intends to steal information from a specific organization, we
assume that even if there are restricted by security functions, they
will bypass and accomplish their purpose.
authentication and intrude
security function restrictions
..etc
CODE BLUE 2018 9
This Session
10. Steps in APT
Preparation Intrusion
Lateral
Movement
Action
• Gathering information from Target
• Intrusion into Target
• Intrusion into the important servers
• Stealing confidential information and hiding log
CODE BLUE 2018 10
11. Steps in APT
“Preparation“ doesn’t concern so I won’t
talk about it this time.
Preparation Intrusion
Lateral
Movement
Action
CODE BLUE 2018 11
12. Steps in APT
Preparation Intrusion
Lateral
Movement
has to do with anti-viruses and monitoring,
but I won’t talk about it this time.
CODE BLUE 2018 12
Action
13. Steps in APT
I’ll be talking about which may be used
when intruding PCs etc.
Preparation Intrusion
Lateral
Movement
Action
CODE BLUE 2018 13
14. Lateral Movement
• Operation in the intruded PCs
• Searching for other vulnerable PCs and expanding intrusion
• Intrusion into servers using the collected information
Gathering informationOperation
Intrusion into servers
CODE BLUE 2018 14
15. Lateral Movement
https://attack.mitre.org/wiki/Lateral_Movement
• AppleScript
• Application Deployment Software
• Distributed Component Object Model
• Replication Through Removable Media
• Windows Remote Management
• Exploitation of Vulnerability
• Remote Desktop Protocol
• Remote File Copy
• Logon Scripts
• Pass the Hash
• SSH Hijacking
• Shared Webroot
• Remote Services
• Taint Shared Content
• Third-party Software
• Windows Admin Shares
Japanese
https://github.com/abend9999/lateralmovement
CODE BLUE 2018 15
16. How to protect Windows
There are security functions to protect Windows
against various attack methods.
• AppLocker
• Software Restriction Policy
• Windows Defender
• UAC (User Account Control)
..etc
CODE BLUE 2018 16
17. Security restrictions on Windows
• Cannot install application (excluding PowerUser)
• Cannot change PC setting
• Cannot execute applications that are inadequate
for business
• Do not grant local administrator authority
• Restricts execution of specific applications
CODE BLUE 2018 17
Result
18. AppLocker control object
Based on the publisher, file path, and file hash , AppLocker
currently supports the following file extensions.
• Executables (.exe, .com)
• Windows Installers (.msi, .mst, .msp)
• Scripts (.vbs, .js, .ps1, .cmd, .bat)
• Dlls (.ocx, .dll)
• Packaged app installers (.appx)
CODE BLUE 2018 18
20. Note about AppLocker
If the service "Application Identity" is not running,
AppLocker cannot be activated.
CODE BLUE 2018 20
21. Advantages of AppLocker
If you have applications that you do not plan to use
such as cmd.exe, restricting them may increase the
security level.
CODE BLUE 2018 21
22. From here, I will introduce examples of
security restrictions in penetration testing.
CODE BLUE 2018 22
24. Restricting Drive Access - Background
In cases where access to an arbitrary drive is
prohibited, access to C drive is often prohibited or
hidden.
CODE BLUE 2018 24
25. Restricting Drive Access - Trial
But it can be referenced in command prompt and
can be accessed by directly specifying the path.
CODE BLUE 2018 25
26. Restricting Drive Access - Trial
But it can be referenced in command prompt and
can be accessed by directly specifying the path.
CODE BLUE 2018 26
28. Restricting Drive Access –
Assumption
HKEY_LOCAL_MACHINESoftwareMicrosoftWind
owsCurrentVersionPolicesExplorerNoViewOnD
rive
CODE BLUE 2018 28
It is possible to specify and restrict the drive with
the following registry key, therefore we assume
that this was controlled by the registry.
30. Restricting Applications - Background
There was a case where presumably the following
countermeasures were implemented to restrict specific
applications (such as notepad and command prompt):
• Disabled “Run”
• Hid C drive
• Deleted program menu
CODE BLUE 2018 30
31. Restricting Applications - Trial
I ran Notepad with "View source" in Internet Explorer, generated a
bat file to run cmd.exe, and then executed it.
CODE BLUE 2018 31
32. Restricting Applications - Trial
I ran Notepad with "View source" in Internet Explorer, generated a
bat file to run cmd.exe, and then executed it.
CODE BLUE 2018 32
33. CODE BLUE 2018 33
If you choose GOOD ADVICE and even IE is stopped.
34. Restricting Application –
Assumption
• Control “Run” in the registry:
CODE BLUE 2018 34
HKEY_CURRENT_USER¥SOFTWARE¥Microsoft¥Windows¥CurrentVersion¥Policies¥Explorer
NoRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolicesExplorerN
oViewOnDrive
• Control Drive display setting in the registry:
C:¥ProgramData¥Microsoft¥Windows¥Start Menu¥Programs
• Control program menu in the folder:
48. Restricting PowerShell
By restricting PowerShell, you can prevent file-less
attacks using PowerShell.
If file-less, it is hard to
detect for Antiviruses
Running a malicious script using Pass the Hash
CODE BLUE 2018 48
49. PowerShell without PowerShell
"PowerShell without PowerShell" released in August
2016 bypasses AppLocker and runs PowerShell.
https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-byp
ass-application-whitelisting-environment-restrictions-av/
CODE BLUE 2018 49
50. PowerShell without PowerShell
• Compile C# program with CSC.exe to run PowerShell as
action at uninstall
• Uninstall output compiled with InstallUtil.exe
• PowerShell runs
CSC.exe
InstallUtil.exe
C# SourceOverride Uninstall and
specify PowerShell command
①Compile
②Output
Binary file
③Uninstall
Run PowerShell
specified in C#
CODE BLUE 2018 50
52. PowerShell without PowerShel
It can be executed with user privilege.
• Compiling CSC.exe
• Uninstalling InstallUnite.exe
CODE BLUE 2018 52
53. PowerShell without PowerShell
PowerShell runs in the background, but depending
on the PowerShell script you run, it may be easy to
get shell.
InstallUtil.exe
Binary File
Uninstall
Run PowerShell
specified in C#
CODE BLUE 2018 53
54. PowerShell without PowerShell
You can easily obtain shell by running a script that
performs reverse connect.
Device that restricts
PowerShell
• Acquire script via IEX using
Powershell without PowerShell
• Execute file-less
Reverse connect target
CODE BLUE 2018 54
55. • Acquire script via IEX using
Powershell without PowerShell
• Execute file-less
PowerShell without PowerShell
You can easily obtain shell by running a script that
performs reverse connect.
CODE BLUE 2018 55
Device that restricts
PowerShell
Reverse connect target
56. CODE BLUE 2018 56
Q.Which same One?
It is easier than this problem.
57. by using Install Option
I found another method ( by using Install
Option), so I would like to introduce it.
• PowerShell without Powershell
⇒ User privilege
by using Install Option
⇒ Administrator privilege required
CODE BLUE 2018 57
59. Differences depending on the
extension
I thought that if I changed the extension of the EXE
file in various ways, I could AppLocker.
• Change to COM file
→ AppLocker blocked
• Change to BAT file
→ AppLocker blocked
• Change to MSI file
→ Error showing that it's not package file
CODE BLUE 2018 59
60. Trial ①
I tried to build cmd.exe so that it can be installed as
an MSI file without causing an error.
CODE BLUE 2018 60
61. Trial ②
I noticed the Custom Option and built it to run
cmd.exe as an Install Option.
CODE BLUE 2018 61
71. Run powershell_ise.exe
You can run powershell_ise.exe, but it will be
blocked when you start a new PowerShell process
within it.
CODE BLUE 2018 71
72. One wish
I asked MSRC if I could do something to solve this,
but I got a similar answer.
“Applocker generally does not meet the bar
for MSRC case.”
CODE BLUE 2018 72
73. CODE BLUE 2018 73
In order to protect myself from bypass, I noticed that I had to do
something for myself.
74. Countermeasures
• Use AppLocker with a whitelist
• If it’s difficult to operate a whitelist, set strict
restrictions for AppLocker along with other group
policies
• Detect problems using multilayer defense such as
monitoring operation logs
CODE BLUE 2018 74
75. Countermeasures
By implementing the following restrictions, I could
not the methods introduced in this talk.
I restricted the following using AppLocker:
• iexplorer.exe
• csc.exe
• powershell.exe
• powershell_ise.exe
• cmd.exe
• Installing non-Microsoft software
※ There is possibility of other operations being affected by implementing these restrictions.
Please do so at your own risk.
CODE BLUE 2018 75
76. Summary
• There are many methods of Windows
security functions, and it is very difficult to
completely prevent them
• It is important to acquire logs, restrict and
monitor networks, etc. on the premise that you
will get
CODE BLUE 2018 76