DLL Injection Methods - Test Apps (Discussion)

Discussion in 'other software & services' started by WildByDesign, Feb 5, 2018.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    It's a mystery to me. I am really puzzled.
    I ran your powershell command, and then I checked group policy, but the rule did not appear.
    I am on win 10 pro x64 April update.

    In your case, it is even more of a mystery how you managed to set a Group Policy setting, because Windows Home editions do not have GP. Did you use a hack to add GP to Windows 10 Home?
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    1) Open the Administrator command prompt.
    2) Powershell
    3) Enter the rule.
    4) Verify - Get-MpPreference.

    Try.:)
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    OK. I tied again to add the Lsass.exe ASR protection in my Win 10 1803 Home ver. using this command from an admin level Powershell window and if failed for the same reason as posted previously:

    Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

    Now I use a third party AV. As such, WD realtime protection is disabled and WD service not started. So I enabled WD periodic scanning which in turn started the WD service. This allowed me to add the Lsass.exe ASR protection setting via PowerShell.

    I still believe that the underling system protection feature behind this Lsass.exe and other related processes ASR rules is Credential Guard which only exists on Enterprise E5 as specifically noted by Microsoft. Till I actually see test results that these related Credential Guard ASR protections are working, I say its speculation the ASR mitigations work on non-Enterprise E5 versions.

    I suspect why the USB ASR mitigation is working is it is not directly based on Credential Guard.
     
    Last edited: May 9, 2018
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    There are ASR protections that only will work if Windows Defender is the ACTIVE AV.
    I don't know if this applies to all ASR protections, but it does apply to the MS Office mitigations.
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Try entering this rule and check:

    https://www.wilderssecurity.com/threads/dll-injection-methods-test-apps-discussion.400434/page-4#post-2755620

    This week I just can not risk interrupting the work I am doing with my W.10.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The following explains Credential Guard in detail. For me it is fairly obvious that Win 10 1803 Lsass.exe ASR protection will not be effective w/o Credential Guard present in some form as exists in Enterprise E5 version:

    https://blogs.technet.microsoft.com...evice-guard-and-credential-guard-demystified/
     
  7. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    @Sampei Nihira :

    As you have posted, there are a group of new Attack Surface Reduction rules in 1803.

    However - as Microsoft has recently stated, then the lsass.exe ASR rule are listed by mistake.
    This rule will not go live until later this year.
    The documentation was said to be updated soon.

    The other four new ASR rules in 1803 are active and fully functional.

    ----

    To others in thread :

    - The lsass.exe ASR rule has nothing to do with Credential Guard.
    It's meant for situations where Credential Guard can't be used.

    - Windows Defender Antivirus needs to be fully enabled including cloud protection and be the only AV on the device.
    Setting WD to periodic scanning is not the same as having WD fully enabled.

    - there is no difference in activating ASR settings through Group Policy or PowerShell.
    Group Policy are one way of altering settings.
    PowerShell are another way of altering settings.

    You use one of the two ways and then do a check with GetMpPreference in PowerShell.
    The list you then get are the actual active settings on your system.
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Just for the record, I did find the rule in registry. Yeah, it's there. The only question is whether it is doing anything. I think that itman's reasoning is right, although I am not enough of a tester to test it...
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Thanks for the important clarifications!
     
  10. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    TH.:thumb:
    So I have to deleted the lsass.exe ASR rule?
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    The powershell way of adding these ASR settings creates registry entries. Is this always the case, or are there cases where powershell creates GP entries?
    It's good to know what you did, so you can keep things organized and avoid conflicts between registry and GP.
     
  12. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Also the Network protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard

    but in fact it works in my Home OS:

    https://www.wilderssecurity.com/threads/windows-defender-is-becoming-the-powerful-antivirus-that-windows-10-needs.383448/page-70#post-2755035

    ;)
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    The Microsoft doc you linked to was published before April Update.
    Maybe with April update, the feature is available even on Pro and Home.
     
  14. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    If your reasoning is right it should also this:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Microsoft documentation is not so great, that's why we need people like you, to try it out and see what actually works! I tried it, after I saw your post, and I discovered that network protection is working for me as well.
     
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    :)

    See you tomorrow bye.
     
  17. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    You are welcome.
    Yes, that would probably be best.
    That rule aren't active right now - but better wait until Microsoft gives it the green light.
    Lots of things can change between now and then.
    Altering settings through PowerShell will never show up in Group Policies.

    All settings are stored in registry. No matter how you set things up.
    But when you look in Group Policy editor, you will of course only see settings that you have altered through Group Policy.

    I prefer Group Policy when setting up the native security in Windows. Others prefer PowerShell.
    Just pick whatever method you find the easiest.

    But no matter which method, then the cleanest view of your combined settings that will be used by your system afterwards, are if you finish with Get-MpPreference in PowerShell.

    That tells you the sum of settings you have made through UI, Group Policy, PowerShell and so forth.

    Better not put to much attention to listed requirements listed at Microsoft Docs at the moment.
    Microsoft Docs are great and they are massively updating everything in all sections currently.
    But ...

    - Exploit Protection are suddenly listed as if it requires Windows 10 Enterprise E3.
    All editions including Home and Pro has had this since branch 1709, so naturally it's a mistake.

    - Attack Surface Reduction rules are suddenly listed as if it requires Windows 10 Enterprise E5.
    However they have always worked fine on Home and Pro and still does.

    - Network Protection suddenly listed as if it requires Windows 10 Enterprise E3.
    Network Protection was not functional after the January 2018 update to Windows Defender Antimalware Platform.
    However with Windows Defender Antimalware Platform version 4.14.17613.18039-0 and newer on branch 1803, Network Protection are now blocking and notifying perfectly on Home and Pro also.

    So instead of worrying to much of documentation, enjoy the great protection instead. :thumb: :thumb:
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I think it is about time you state in what official capacity you speak for Microsoft in regards to contradicting their official technical documentation? Or for that matter, making configuration recommendations in direct contradiction to what is stated in those documents.

    Better yet, I will make my own inquiries in regards to your activities in this forum to appropriate Microsoft management sources.
     
  19. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Lsass.exe ASR rule deleted.;)
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I did the same, but just for the sake of technical correctness, the rule is not actually deleted, rather it is disabled.
    In registry, you can see that the value is set to 0. This is as opposed to 1 for the enabled rules.
    I tried completely deleting the rule from registry, but it wouldn't delete.
    You can find your ASR rules here:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules

    Thanks to @Martin_C for answering all my questions.
     
  21. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Deleted:

    Immagine.jpg

    always naturally using Powershell.:thumb::)
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    That's interesting. I used the powershell command with "disable" at the end, like it said in the microsoft doc. How does your command end? Does it say "delete"?

    If you could, please paste me your powershell command to delete the lsass rule.
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Disabling the rule is equally correct.:thumb:
    But I prefer to delete it.
    It is necessary to repeat the procedure to insert the same rules.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.