Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,091
    I can see how CMD relates to Command in CMDCHECK, but how does LST relate to Parent in LSTCHECK (ie. what does LST mean)?
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    This is something that one of us would have to specifically ask Florian. I assume that he's abbreviated the wording to a certain extent so that each is down to 3 characters to remain consistent which would also allow malware/security researchers to run custom scripts/regex against log files. But I must admit, I am curious as well to the exact meaning to LST. If someone reaches out to Florian and finds out, please do let us know.
     
  3. kakaka

    kakaka Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    60
    LST == LIST
    LSTCHECK == ParentListCheck
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,055
    The website of Excubits is using Cloudflare, but they were not affected from the "Cloudflare-bug"
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    I've been paying attention more lately to some of these fileless attacks which often use Microsoft signed built-in binaries to bypass application whitelisting and therefore also playing around with command line scanner functionality which helps to mitigate these attacks.

    For testing, I have been using Casey Smith (@subTee) "AllTheThings" application whitelisting bypass tool: https://github.com/subTee/AllTheThings


    For Bouncer's [CMDCHECK] scanning:
    Code:
    [CMDBLACKLIST]
    #    [AllTheThings]
    *>*C:\Windows\Microsoft.NET\Framework*\*\InstallUtil.exe*/U*.dll*
    *>*C:\Windows\Microsoft.NET\Framework*\*\regsvcs.exe*.dll*
    *>*C:\Windows\Microsoft.NET\Framework*\*\regasm.exe*/U*.dll*
    *>*regsvr32*/s*.dll*
    *>*rundll32*.dll,EntryPoint*

    For those using Florian's other driver cmdScanner (aka CommandlineScanner), that code above would simply go into the [BLACKLIST] section. I have tested those command line blacklist rules quite thoroughly by disabling the rest of Bouncer's protection mechanisms so that nothing else interfered and I ensured that blockages in the log file showed up triggered by [CMDCHECK] specifically.


    So those rules above are thoroughly tested. The rules below, however, are not quite as thoroughly tested. The rules below are based on application bypass techniques listed at (https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET).

    Code:
    [CMDBLACKLIST]
    #    [Event Viewer]
    *eventvwr.exe*>*
    *>*eventvwr.exe*
    #    [PowerShell]
    *System.Management.Automation.dll*>*
    *>*System.Management.Automation.dll*
    #    [Blocking the regsvr32 application whitelisting bypass technique]
    *cmd.exe*>*regsvr32*scrobj.dll*
    *cmd.exe*>*regsvr32*scrrun.dll*
    #    [Blocking one rundll32 application whitelisting bypass technique]
    *rundll32*>*mshtml.dll*
    #    [Blocking rundll32 from loading PowerShell]
    *rundll32*>*System.Management.Automation.dll*
    #    [Blocking malicious OLE packages in Microsoft Office products]
    *\OFFICE1*\*>*flash*.ocx*
    *\OFFICE1*\*>*packager.dll*

    At the moment, what I am doing is allowing all command line functionality with *>* in the [CMDWHITELIST] section and targeting specific command lines in the [CMDBLACKLIST] section. Somewhat of a Default Allow setup, I suppose. But for the most part I am exploring and trying to learn more regarding command line scanning for my own testing purposes and thought that I would share my results so far.
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,055
    Thanks for the example.
    I have added some of them to my config and then i'll see how many entries i have in my cmdscanner.log after some days.
    If all is good, i can switch to [LETHAL]
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @mood You're welcome. Great strategy going non-lethal for some time to test, always a good idea. :thumb:
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Slightly updated blacklist regarding a typo with auditpol.exe. I have also suggested that Florian add a "Last Updated" date to his blacklist so that us hardcore users will know whenever there has been an update to the list and can verify by checking the date on our own list. The "Last Updated" date is blocked out with # so that we can simply copy and paste into our own blacklists.

    Source: https://excubits.com/content/files/blacklist.txt

    Code:
    # Last Updated: 2017/03/12
    #
    *\AppData\Local\Temp\*.bat
    *\AppData\Local\Temp\*.com
    *\AppData\Local\Temp\*.scr
    *\AppData\Local\Temp\*.sys
    *\AppData\Roaming\*.bat
    *\AppData\Roaming\*.com
    *\AppData\Roaming\*.exe
    *\AppData\Roaming\*.scr
    *\AppData\Roaming\*.sys
    *\at.exe
    *\Temp\*.zip\*.exe
    *\Temp\*sfx\*.exe
    *\Temp\7z*\*.exe
    *\Temp\rar*\*.exe
    *\Temp\wz*\*.exe
    *aspnet_compiler.exe
    *attrib.exe
    *auditpol.exe
    *bcdboot.exe
    *bcdedit.exe
    *bitsadmin*
    *bootcfg.exe
    *bootim.exe
    *bootsect.exe
    *ByteCodeGenerator.exe
    *cacls.exe
    *csc.exe
    *debug.exe
    *DFsvc.exe
    *diskpart.exe
    *eventvwr.exe
    *hh.exe
    *IEExec.exe
    *iexplore.exe
    *iexpress.exe
    *ilasm.exe
    *InstallUtil*
    *InstallUtil.exe
    *journal.exe
    *jsc.exe
    *mmc.exe
    *mrsa.exe
    *MSBuild.exe
    *mshta.exe
    *mstsc.exe
    *netsh.exe
    *netstat.exe
    *powershell.exe
    *powershell_ise.exe
    *PresentationHost.exe
    *quser.exe
    *reg.exe
    *RegAsm*
    *regini.exe
    *Regsvcs*
    *regsvr32.exe
    *RunLegacyCPLElevated.exe
    *runonce.exe
    *script.exe
    *set.exe
    *setx.exe
    *Stash*
    *systemreset.exe
    *takeown.exe
    *taskkill.exe
    *UserAccountControlSettings.exe
    *vbc.exe
    *vssadmin.exe
    *wmic.exe
    *xcacls.exe
    ?:\$Recycle.Bin\*
    C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
    C:\Users\Public\*
    C:\Windows\ADFS\*
    C:\Windows\Fonts\*
    C:\Windows\Minidump\*
    C:\Windows\Offline Web Pages\*
    C:\Windows\Tasks\*
    C:\Windows\tracing\*

    For some blacklisted binaries that may cause blockage issues depending on individual system setups, what I do is # block out the lines that are causing issues and then add those to my parent whitelist/blacklist sections for additional control. That way I am able to allow certain processes to start those blacklisted items which are necessary but block all else.

    For example, I get blockages for the following binaries from Florian's blacklist:
    Code:
    # *attrib.exe
    # *bcdedit.exe
    # *cacls.exe
    # *mmc.exe
    # *reg.exe
    Therefore I block the lines out from the [BLACKLIST] section (above) and add them to the parent whitelist and parent blacklist section so that I can still block those processes but still allow for some control. Anyway, this is just an example that works for me so I thought I would share it.

    Code:
    [PARENTWHITELIST]
    #    [Override blacklist]
    !C:\Program Files (x86)\Microsoft VS Code\Code.exe>C:\Windows\SysWOW64\reg.exe
    !C:\Program Files (x86)\Stardock\Fences\Fences.exe>C:\Windows\System32\icacls.exe
    !C:\Windows\System32\cmd.exe>C:\Windows\System32\attrib.exe
    !C:\Program Files (x86)\EMET 5.5\EMET_GUI.exe>C:\Windows\System32\bcdedit.exe
    !C:\Program Files (x86)\EMET 5.5\EMET_GUI.exe>C:\Windows\System32\regsvr32.exe
    #    [Hyper-V Switch]
    !*\HyperVSwitch.exe>C:\Windows\System32\bcdedit.exe
    [PARENTBLACKLIST]
    #    [Override blacklist]
    *>*reg.exe
    *>*icacls.exe
    *>*attrib.exe
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    So I have been thinking more and more lately regarding EMET's Attack Surface Reduction (ASR) feature since EMET will be going EOL next year. Also, specifically because ASR is quite interesting for the fact that you can block very specific .DLL's (modules) from loading and/or injecting within specific processes. ASR certainly has quite a bit of potential for mitigating modern attack scenarios.

    I was thinking "What if I can replicate ASR feature within Bouncer?" to myself and decided to do some testing. I used SpeedyFox (speedyfox.exe) which I quite often use only for testing purposes because it is a simple yet portable application. I decided to protect speedyfox.exe with EMET, whereby EMET would be injecting EMET.dll for it's protection purposes on process creation for speedyfox.exe process. I verified as well to ensure that EMET.dll was correctly injected into speedyfox.exe (verified with Process Hacker) and also that EMET was reporting that speedyfox.exe process was protected.

    Within Bouncer.ini config, I had to create specific [WHITELIST] and [PARENTWHITELIST] to ensure that speedyfox.exe had the required permissions to execute as per normal. Following that, I created a specific [PARENTBLACKLIST] rule of D:\speedyfox\*>*EMET*.dll that would utilize Bouncer's powerful parent process control engine to block the injection of EMET's .DLL which provides the process protection.

    Code:
    [WHITELIST]
    D:\speedyfox\*
    [PARENTWHITELIST]
    D:\speedyfox\*>C:\Windows\*
    D:\speedyfox\*>C:\Program Files*
    [PARENTBLACKLIST]
    D:\speedyfox\*>*EMET*.dll
    From there, I was able to verify that speedyfox.exe was still able to execute as per normal, but with Bouncer indicating that it had blocked EMET.dll from being loaded into speedyfox.exe process. Following that, I was able to verify with EMET GUI that speedyfox.exe was no longer protected. Also, I used Process Hacker to verify that indeed EMET.dll was not loaded into speedyfox.exe process.

    Bingo! Attack Surface Reduction (ASR) functionality within Bouncer. :thumb:

    I definitely appreciate having that kind of granular control over my systems. Similar granular control can be had over command lines with Bouncer's [CMDCHECK] feature as well (or the separate cmdScanner driver). Although Bouncer starts during system init whereas cmdScanner starts slightly after.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,055
    An updated Blacklist, and sigma rules are mentioned in the newest blogentry.
    I think after looking at the "sigma rules" i got some new ideas for some new bouncer rules.
     
  11. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,055
    Today i booted the PC and i could see a message in the Windows Event Log that all Excubit-tools couldn't be started ("system-license expired") :eek:
    I queried the status of all Excubit-drivers and they were not running ...

    According to a new blog-entry they are preparing "a new batch of demo packages":
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @mood Yes, Florian has already compiled all of the updated drivers (demo and full) and I am testing them right now. There was an important fix for MZWriteScanner as well. The drivers are already cross-compiled with EV cert and Windows signing. I believe the only thing left for Florian that he is doing right now is compiling the tray tool binaries then will likely release today or tomorrow. There are new PDF manuals for MemProtect and FIDES as well. :thumb:
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,055
    The website is still showing "Binaries last updated on 2016/10/30", but all tools have been updated now (digital signature: "2017/04/01") :thumb:
    Edit: After several hours i downloaded it again, and the file Tray.exe was updated. All previously changed files were untouched.
     
    Last edited: Apr 2, 2017
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,559
    Location:
    The etherlands
    Noob question.

    I only use FIDES but when updating these drivers, should one uninstall the existing one first? What is the best procedure for updating?
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @paulderdash To be quite honest, I have never tried to install a kernel-mode driver over top of another without uninstalling first. It may very well work, but I have not tried. Here is what I have always done:

    Open a cmd prompt with Admin rights
    Code:
    net stop pumpernickel
    sc delete pumpernickel
    Then you can install the new driver from the updated package.
     
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,055
    I have created a batch-file for it, so i don't have to type it in every time. "Rightclick, run as adminstrator", done :)
    For example:
    Code:
    File: uninstall_driver.cmd
    
    net stop pumpernickel
    sc delete pumpernickel
     
  17. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    Only demo versions were time-limited. All my full versions still work. I think this was mention in the readme.txt or in the Excubit's blog somewhere that demo version needs to be refreshed after some times.

    I also would suggest to first stop then delete the driver. This is what I did a couple of minutes ago and it seemless works. So @mood, your uninstall_driver.cmd is perfect.
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,055
    I expected the expiration a little bit later, in the readme.txt is this mentioned: "Demo driver will stop working mid 2017. "
    Anyway, all drivers/tools are now up-to-date and all is running fine :thumb:
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,055
    New additions for the blacklist and "some thoughts on CVE-2017-0199 and Application Whitelisting":
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,055
    New blog-entry "Why you should blacklist some paths below C:\Windows", and new additions to the blacklist:
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,055
    Blog-entry: "#WanaCrypt0r #WannaCry, #Wcry attacked thousands of PCs"
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    For anyone that is interested in condensing their rule sets slightly, I've got something to share regarding DISM. It has taken me some time to figure out something that worked relatively well and that also combined DISM rules for AppData Temp location and C:\Windows\Temp location. This covers whitelist and parentwhitelist sections for DISM. This is just for anyone wanting to condense rules. Some users, of course, may want to stick with more granular rules that are more particular compared to this.

    Code:
    [WHITELIST]
    #    DISM
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe
    !??*\Temp\????????-????-????-????-????????????\*.dll
    [PARENTWHITELIST]
    #    DISM
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe>??*\Temp\????????-????-????-????-????????????\*.dll
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll

    EDIT: The only reason why I've got the ! (priority rules) is because I have a blacklist default deny for C:\Windows\Temp\ and therefore the priority rule is over-riding that. But for users without that default deny rule, you may not need the ! priority rule symbol for this to work.
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    For anyone who maintains a Vulnerable Apps List (Bouncer, AppGuard, NVT ERP, etc.), please share this and pass it along.

    Apparently Microsoft's Device Guard Team maintains a Vulnerable Apps List of sorts in which they recommend blocking the execution of specific apps provided that these aren't needed on some workstations. These can be used for bypassing Device Guard and therefore the potential to bypass other application whitelisting / anti-executable / software restriction policy software.

    There are also Code Integrity configurations for those who do use Device Guard.

    Link: https://github.com/Microsoft/window...guard/deploy-code-integrity-policies-steps.md


     
  24. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,711
    Thank you for this. So these apps should be added to the vulnerable list of any of the above mentioned apps? I need to get to testing with some of these. Cheers!
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @Trooper You're welcome. Yes, indeed, but ensure that none of your programs utilize those apps. I believe the vulnerable apps list that Florian (Bouncer dev) contains most of these binaries already though.