Want to get around app whitelists by pretending to be Microsoft? Of course you can...

Minimalist · Sep 23, 2017

A sprinkle of code and an understanding of the Windows digital certificate process is all that's needed for a miscreant to sneak malware past Microsoft's application whitelist within a corporate environment.

In a keynote address at the DerbyCon hacking conference in Kentucky, USA, on Friday, Matt Graeber, a security researcher with SceterOps, detailed how he managed to disguise and run a banned software nasty as a legit whitelisted app, and thus bypass Redmond's security mechanisms.
Click to expand...

https://www.theregister.co.uk/2017/09/22/bypassing_app_whitelists_microsoft_windows/

itman · Sep 23, 2017

Good find.

Not only can this subvert signed PowerShell script enforcement via AppLocker, it can also do the same to Device Guard. Additionally, this bypass just doesn't apply to Powershell scripts as noted below. Just one more in a never ending example parade that Windows native protections are crap:

Here is an example of a hijacked portable executable SIP (C689AAB8-8E78-11D0-8C47-00C04FC295EE) that has a legitimate Microsoft digital signature applied to an attacker supplied binary

Hiding from Autoruns

A side effect of applying a legitimate Microsoft Authenticode digital signature to attacker-supplied code hijacking the CryptSIPVerifyIndirectData component of a targeted SIP is that it will hide from Autoruns by default which does not display “Microsoft” or “Windows” entries by default.

With the portable executable SIP hijack in place, a persistent, attacker-supplied EXE does not show up by default

Subverting CryptoAPI v2 (CAPI) Event Logging

While not enabled by default, enabling the Microsoft-Windows-CAPI2/Operational event log can be a valuable source of contextual information related to failed trust validation.

The above event is an “Error” event. In this example, if the CryptSIPVerifyIndirectData component of the portable executable SIP were hijacked, the WinVerifyTrust event would still be logged but as an “Information” event indicating that trust validation was successful
Click to expand...

https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf

RockLobster · Sep 24, 2017

The exploit itself is rather a mute point, the real issue is, as he said,

...it's not hard to get admin privileges
Click to expand...

Log in or Sign up

Want to get around app whitelists by pretending to be Microsoft? Of course you can...

Minimalist Registered Member

itman Registered Member

RockLobster Registered Member

Log in or Sign up

Want to get around app whitelists by pretending to be Microsoft? Of course you can...

Minimalist Registered Member

itman Registered Member

RockLobster Registered Member

Useful Searches