Bypass Windows 10 User Group Policy (and more) with this One Weird Trick

  • Thread starter ForgottenSeer 85179
  • Start date
F

ForgottenSeer 85179

Thread author
I‘m going to share an (ab)use of a Windows feature which can result in bypassing User Group Policy (as well as a few other interesting things). Bypassing User Group Policy is not the end of the world, but it’s also not something that should be allowed and depending on User Group Policy setup, could result in unfortunate security scenarios. This technique has been tested against Windows 7 and Windows 10 Enterprise x64 (10.18363 1909) and does not require admin access. Leveraging this trick has to do with how the user account registry is loaded upon login, so let’s start this off by understanding a bit about what happens when a user logs into a Windows account.

A lot of text which I don't copy here.
But it's very interesting - even for non technical guys
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
The author reached out to Microsoft and it was declined to investigate further, stating this is "expected" behavior. How....expected. :rolleyes:

How many Enterprises rely and depend on group policy? Honk if you want Microsoft to reverse its decision. 🚙 🔊
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The User Group Policies are not as strong as the Computer (system-wide) Group Policies. Anything that relies on Windows Registry HKCU Hive can be probably bypassed with standard rights. The User Group Policies are intended to restrict users, but not malware.:) (y)
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
This means if we set an explicit entry to “DENY” SYSTEM writable permissions, then it will effectively block “SYSTEM” from obtaining writable permissions since our “DENY” rule will take precedence over the “ALLOW” rule that it tries to add.
Permissions are great to play with, like when you deny Everyone to write on USB's root, preventing autorun malware.
I blocked several ransomware from modifying files by simply blocking SYSTEM. :LOL:
Code:
takeown /f E: /a /r /d y
icacls E: /remove "Authenticated Users" "Users" "System" /grant "Users":(OI)(CI)RX /t /l /q /c
icacls E: /deny "System":(OI)(CI)F /t /l /q /c
 
F

ForgottenSeer 85179

Thread author
preventing autorun malware.
Microsoft fix that a long time ago ;)

I blocked several ransomware from modifying files by simply blocking SYSTEM. :LOL:
Code:
takeown /f E: /a /r /d y
icacls E: /remove "Authenticated Users" "Users" "System" /grant "Users":(OI)(CI)RX /t /l /q /c
icacls E: /deny "System":(OI)(CI)F /t /l /q /c
So what you do if the USB drive use another letter then E: ?
Doesn't sounds like a good solution for me. Sorry :p
 

koloveli

Level 4
Well-known
Sep 13, 2012
191
in this and other aspects windows are still vulnerable;
trojans since windows xp use system applications (dllhost, svchost, bypass firewall, bypass user control ...) to go unnoticed by the system
 
  • Like
Reactions: Captain Awesome

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
in this and other aspects windows are still vulnerable;
trojans since windows xp use system applications (dllhost, svchost, bypass firewall, bypass user control ...) to go unnoticed by the system
The non-vulnerable OS will be probably unusable.
User Group Policies can significantly reduce the danger of such infections via users' actions.
For example, if the user applies the policy to block macros in MS Office, then most of the weaponized documents cannot use system applications to infect the system.
 
F

ForgottenSeer 823865

Thread author
It is not difficult to create a very safe OS, it will just requires a powerful machine.
See Qubes OS principle, every apps run in its own mini-VM.

An OS isn't supposed to be safe, it is supposed to be usable for the most users possible.
With time, and because of the growing cybercriminal activities, it has to be safe.

LOLbins aren't really an issue, they are just processes that can easily be blocked via Windows own tools or 3rd part ones.
Even the crucial ones can be mitigated to some extent.

The real issue is the users who aren't educated to distinguish and face threats, and by their unsafe behavior provoke their own demise and contribute involuntarily to the growing of criminal activity. Ransomware are the perfect example.

And add on top kernel vulnerabilities that can't be mitigate by security tools but by the OS vendors. And we have the situation we are now.
 
Last edited by a moderator:
F

ForgottenSeer 85911

Thread author
It is not difficult to create a very safe OS, it will just requires a powerful machine.
See Qubes OS principle, every apps run in its own mini-VM.

An OS isn't supposed to be safe, it is supposed to be usable for the most users possible.
With time, and because of the growing cybercriminal activities, it has to be safe.

LOLbins aren't really an issue, they are just processes that can easily be blocked via Windows own tools or 3rd part ones.
Even the crucial ones can be mitigated to some extent.

The real issue is the users who aren't educated to distinguish and face threats, and by their unsafe behavior provoke their own demise and contribute involuntarily to the growing of criminal activity. Ransomware are the perfect example.

And add on top kernel vulnerabilities that can't be mitigate by security tools but by the OS vendors. And we have the situation we are now.

the current world IT system is so broken no solution is possible
the future is private individuals paying for insurances against losses due to cybercrime like lifelock
20 years from now people everybody will buy such insurance
 

koloveli

Level 4
Well-known
Sep 13, 2012
191
The non-vulnerable OS will be probably unusable.
User Group Policies can significantly reduce the danger of such infections via users' actions.
For example, if the user applies the policy to block macros in MS Office, then most of the weaponized documents cannot use system applications to infect the system.
block application in firewall and try acess remote, exploring the blocked app and see what happens. This also applies to installing and running advanced malware (bypass windows defender policy block)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top