Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. guest

    guest Guest

    Thanks for the example.
    I have added some of them to my config and then i'll see how many entries i have in my cmdscanner.log after some days.
    If all is good, i can switch to [LETHAL]
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @mood You're welcome. Great strategy going non-lethal for some time to test, always a good idea. :thumb:
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Slightly updated blacklist regarding a typo with auditpol.exe. I have also suggested that Florian add a "Last Updated" date to his blacklist so that us hardcore users will know whenever there has been an update to the list and can verify by checking the date on our own list. The "Last Updated" date is blocked out with # so that we can simply copy and paste into our own blacklists.

    Source: https://excubits.com/content/files/blacklist.txt

    Code:
    # Last Updated: 2017/03/12
    #
    *\AppData\Local\Temp\*.bat
    *\AppData\Local\Temp\*.com
    *\AppData\Local\Temp\*.scr
    *\AppData\Local\Temp\*.sys
    *\AppData\Roaming\*.bat
    *\AppData\Roaming\*.com
    *\AppData\Roaming\*.exe
    *\AppData\Roaming\*.scr
    *\AppData\Roaming\*.sys
    *\at.exe
    *\Temp\*.zip\*.exe
    *\Temp\*sfx\*.exe
    *\Temp\7z*\*.exe
    *\Temp\rar*\*.exe
    *\Temp\wz*\*.exe
    *aspnet_compiler.exe
    *attrib.exe
    *auditpol.exe
    *bcdboot.exe
    *bcdedit.exe
    *bitsadmin*
    *bootcfg.exe
    *bootim.exe
    *bootsect.exe
    *ByteCodeGenerator.exe
    *cacls.exe
    *csc.exe
    *debug.exe
    *DFsvc.exe
    *diskpart.exe
    *eventvwr.exe
    *hh.exe
    *IEExec.exe
    *iexplore.exe
    *iexpress.exe
    *ilasm.exe
    *InstallUtil*
    *InstallUtil.exe
    *journal.exe
    *jsc.exe
    *mmc.exe
    *mrsa.exe
    *MSBuild.exe
    *mshta.exe
    *mstsc.exe
    *netsh.exe
    *netstat.exe
    *powershell.exe
    *powershell_ise.exe
    *PresentationHost.exe
    *quser.exe
    *reg.exe
    *RegAsm*
    *regini.exe
    *Regsvcs*
    *regsvr32.exe
    *RunLegacyCPLElevated.exe
    *runonce.exe
    *script.exe
    *set.exe
    *setx.exe
    *Stash*
    *systemreset.exe
    *takeown.exe
    *taskkill.exe
    *UserAccountControlSettings.exe
    *vbc.exe
    *vssadmin.exe
    *wmic.exe
    *xcacls.exe
    ?:\$Recycle.Bin\*
    C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
    C:\Users\Public\*
    C:\Windows\ADFS\*
    C:\Windows\Fonts\*
    C:\Windows\Minidump\*
    C:\Windows\Offline Web Pages\*
    C:\Windows\Tasks\*
    C:\Windows\tracing\*

    For some blacklisted binaries that may cause blockage issues depending on individual system setups, what I do is # block out the lines that are causing issues and then add those to my parent whitelist/blacklist sections for additional control. That way I am able to allow certain processes to start those blacklisted items which are necessary but block all else.

    For example, I get blockages for the following binaries from Florian's blacklist:
    Code:
    # *attrib.exe
    # *bcdedit.exe
    # *cacls.exe
    # *mmc.exe
    # *reg.exe
    Therefore I block the lines out from the [BLACKLIST] section (above) and add them to the parent whitelist and parent blacklist section so that I can still block those processes but still allow for some control. Anyway, this is just an example that works for me so I thought I would share it.

    Code:
    [PARENTWHITELIST]
    #    [Override blacklist]
    !C:\Program Files (x86)\Microsoft VS Code\Code.exe>C:\Windows\SysWOW64\reg.exe
    !C:\Program Files (x86)\Stardock\Fences\Fences.exe>C:\Windows\System32\icacls.exe
    !C:\Windows\System32\cmd.exe>C:\Windows\System32\attrib.exe
    !C:\Program Files (x86)\EMET 5.5\EMET_GUI.exe>C:\Windows\System32\bcdedit.exe
    !C:\Program Files (x86)\EMET 5.5\EMET_GUI.exe>C:\Windows\System32\regsvr32.exe
    #    [Hyper-V Switch]
    !*\HyperVSwitch.exe>C:\Windows\System32\bcdedit.exe
    [PARENTBLACKLIST]
    #    [Override blacklist]
    *>*reg.exe
    *>*icacls.exe
    *>*attrib.exe
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    So I have been thinking more and more lately regarding EMET's Attack Surface Reduction (ASR) feature since EMET will be going EOL next year. Also, specifically because ASR is quite interesting for the fact that you can block very specific .DLL's (modules) from loading and/or injecting within specific processes. ASR certainly has quite a bit of potential for mitigating modern attack scenarios.

    I was thinking "What if I can replicate ASR feature within Bouncer?" to myself and decided to do some testing. I used SpeedyFox (speedyfox.exe) which I quite often use only for testing purposes because it is a simple yet portable application. I decided to protect speedyfox.exe with EMET, whereby EMET would be injecting EMET.dll for it's protection purposes on process creation for speedyfox.exe process. I verified as well to ensure that EMET.dll was correctly injected into speedyfox.exe (verified with Process Hacker) and also that EMET was reporting that speedyfox.exe process was protected.

    Within Bouncer.ini config, I had to create specific [WHITELIST] and [PARENTWHITELIST] to ensure that speedyfox.exe had the required permissions to execute as per normal. Following that, I created a specific [PARENTBLACKLIST] rule of D:\speedyfox\*>*EMET*.dll that would utilize Bouncer's powerful parent process control engine to block the injection of EMET's .DLL which provides the process protection.

    Code:
    [WHITELIST]
    D:\speedyfox\*
    [PARENTWHITELIST]
    D:\speedyfox\*>C:\Windows\*
    D:\speedyfox\*>C:\Program Files*
    [PARENTBLACKLIST]
    D:\speedyfox\*>*EMET*.dll
    From there, I was able to verify that speedyfox.exe was still able to execute as per normal, but with Bouncer indicating that it had blocked EMET.dll from being loaded into speedyfox.exe process. Following that, I was able to verify with EMET GUI that speedyfox.exe was no longer protected. Also, I used Process Hacker to verify that indeed EMET.dll was not loaded into speedyfox.exe process.

    Bingo! Attack Surface Reduction (ASR) functionality within Bouncer. :thumb:

    I definitely appreciate having that kind of granular control over my systems. Similar granular control can be had over command lines with Bouncer's [CMDCHECK] feature as well (or the separate cmdScanner driver). Although Bouncer starts during system init whereas cmdScanner starts slightly after.
     
  5. guest

    guest Guest

    An updated Blacklist, and sigma rules are mentioned in the newest blogentry.
    I think after looking at the "sigma rules" i got some new ideas for some new bouncer rules.
     
  6. guest

    guest Guest

    Today i booted the PC and i could see a message in the Windows Event Log that all Excubit-tools couldn't be started ("system-license expired") :eek:
    I queried the status of all Excubit-drivers and they were not running ...

    According to a new blog-entry they are preparing "a new batch of demo packages":
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @mood Yes, Florian has already compiled all of the updated drivers (demo and full) and I am testing them right now. There was an important fix for MZWriteScanner as well. The drivers are already cross-compiled with EV cert and Windows signing. I believe the only thing left for Florian that he is doing right now is compiling the tray tool binaries then will likely release today or tomorrow. There are new PDF manuals for MemProtect and FIDES as well. :thumb:
     
  8. guest

    guest Guest

    The website is still showing "Binaries last updated on 2016/10/30", but all tools have been updated now (digital signature: "2017/04/01") :thumb:
    Edit: After several hours i downloaded it again, and the file Tray.exe was updated. All previously changed files were untouched.
     
    Last edited by a moderator: Apr 2, 2017
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Noob question.

    I only use FIDES but when updating these drivers, should one uninstall the existing one first? What is the best procedure for updating?
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @paulderdash To be quite honest, I have never tried to install a kernel-mode driver over top of another without uninstalling first. It may very well work, but I have not tried. Here is what I have always done:

    Open a cmd prompt with Admin rights
    Code:
    net stop pumpernickel
    sc delete pumpernickel
    Then you can install the new driver from the updated package.
     
  11. guest

    guest Guest

    I have created a batch-file for it, so i don't have to type it in every time. "Rightclick, run as adminstrator", done :)
    For example:
    Code:
    File: uninstall_driver.cmd
    
    net stop pumpernickel
    sc delete pumpernickel
     
  12. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Only demo versions were time-limited. All my full versions still work. I think this was mention in the readme.txt or in the Excubit's blog somewhere that demo version needs to be refreshed after some times.

    I also would suggest to first stop then delete the driver. This is what I did a couple of minutes ago and it seemless works. So @mood, your uninstall_driver.cmd is perfect.
     
  13. guest

    guest Guest

    I expected the expiration a little bit later, in the readme.txt is this mentioned: "Demo driver will stop working mid 2017. "
    Anyway, all drivers/tools are now up-to-date and all is running fine :thumb:
     
  14. guest

    guest Guest

    New additions for the blacklist and "some thoughts on CVE-2017-0199 and Application Whitelisting":
     
  15. guest

    guest Guest

    New blog-entry "Why you should blacklist some paths below C:\Windows", and new additions to the blacklist:
     
  16. guest

    guest Guest

    Blog-entry: "#WanaCrypt0r #WannaCry, #Wcry attacked thousands of PCs"
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    For anyone that is interested in condensing their rule sets slightly, I've got something to share regarding DISM. It has taken me some time to figure out something that worked relatively well and that also combined DISM rules for AppData Temp location and C:\Windows\Temp location. This covers whitelist and parentwhitelist sections for DISM. This is just for anyone wanting to condense rules. Some users, of course, may want to stick with more granular rules that are more particular compared to this.

    Code:
    [WHITELIST]
    #    DISM
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe
    !??*\Temp\????????-????-????-????-????????????\*.dll
    [PARENTWHITELIST]
    #    DISM
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe>??*\Temp\????????-????-????-????-????????????\*.dll
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll

    EDIT: The only reason why I've got the ! (priority rules) is because I have a blacklist default deny for C:\Windows\Temp\ and therefore the priority rule is over-riding that. But for users without that default deny rule, you may not need the ! priority rule symbol for this to work.
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    For anyone who maintains a Vulnerable Apps List (Bouncer, AppGuard, NVT ERP, etc.), please share this and pass it along.

    Apparently Microsoft's Device Guard Team maintains a Vulnerable Apps List of sorts in which they recommend blocking the execution of specific apps provided that these aren't needed on some workstations. These can be used for bypassing Device Guard and therefore the potential to bypass other application whitelisting / anti-executable / software restriction policy software.

    There are also Code Integrity configurations for those who do use Device Guard.

    Link: https://github.com/Microsoft/window...guard/deploy-code-integrity-policies-steps.md


     
  19. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Thank you for this. So these apps should be added to the vulnerable list of any of the above mentioned apps? I need to get to testing with some of these. Cheers!
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Trooper You're welcome. Yes, indeed, but ensure that none of your programs utilize those apps. I believe the vulnerable apps list that Florian (Bouncer dev) contains most of these binaries already though.
     
  21. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Thanks. I have never tried out Bouncer at least not yet, but want to look into it. Been on the hunt for testing security apps again. It has been a long while since doing so for me.
     
  22. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    The only objects on the list that some people will find on their system are:
    • bash.exe
    • lxssmanager.dll
    The others, like bginfo.exe, will not be found unless you have installed them. bginfo.exe, for example, is a SysInternals utility.

    Unless one is using Microsoft's Device Guard (Enterprise hardware-software feature), then I would not worry about creating policies.

    Here is some infos on Device Guard:

    https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
     
  23. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Thanks for sharing info here.

    The only?! I guessing that most people will also find cscript.exe, wscript.exe, csi.exe and some others.

    Building own blacklist with this informations and the blacklist from excubits is easy task. In bouncer just a matter of max. 2-3 minutes. I gave hint to Florian to update his blacklist soon with this informations from @WildByDesign post.
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I think @Lockdown meant the only new ones, not already on Florian's list.
     
  25. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Precisely.

    There are various "vulnerable process" lists from Florian, Casey Smith, US CERT, Japan CERT, Microsoft, the NSA, and other agencies that have been floating around on the forums. Most people that are inclined to pay any attention to the vulnerable process lists already know full-well that interpreters such as cscript, wscript, etc are on most of the lists.
     
    Last edited: Jun 16, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.