5

509322

@Windows_Security
I am not so sure about it, in many cases a drive by attack can gently ignore both UAC and Smartscreen. Both malware file and the shortcut can be dropped to the User Space (no copy alert) without 'Mark of the Web' (no Smartscreen check on the run), and executed without elevation (no UAC alert). Thanks to Microsoft, SRP will stop direct malware execution, but sadly, not indirect execution by the shortcut.
It is also interesting, that after copying the same shortcut to the System Space (for example C:\Windows) above trick does not work.
I would like the missing option in SRP to whitelist shortcuts by hash.
By the way, using SRP with something like Voodoo Shield may be a good idea.

@Av Gurus
My reply to your question was not correct, it should be:
Almost anywhere (except whitelisted folders).
A Smartscreen and UAC bypass can only happen if the malware is executed. The whole purpose of software restriction policies are to block the execution in the first place. For a file to execute the user launched it with either the SRPs disabled, the SRP configuration allows the launch, and\or there is a bug\vulnerability. The most common scenario are the first two - with the last one a rarity.

AppLocker if properly configured will block all high-risk file\process executions - even malicious *.lnk (shortcut) with arguments that download and drop files to writeable directories can be effectively handled. Simply create policies that block the launch of executable files from writeable directories susceptible to malicious *.lnk attacks. Using an understanding of Windows and malware behaviors you can bolster AppLocker's basic configuration.
 
Last edited by a moderator:

Andy Ful

Level 45
Verified
Trusted
Content Creator
I was thinking that only Enterprise editions support AppLocker, but that is not so with Windows 10.

"You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016."

Requirements to use AppLocker (Windows 10)

It is very interesting. Thanks for the info.
 
Last edited:
  • Like
Reactions: Dirk41 and Av Gurus
5

509322

I was thinking that only Enterprise editions support AppLocker, but that is not so with Windows 10.

"You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016."

Requirements to use AppLocker (Windows 10)

It is very interesting. Thanks for the info.
AppLocker CSP is for mobile device management.

AppLocker is only available on Windows 10 Education and Enterprise versions.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
@Windows_Security
I am not so sure about it, in many cases a drive by attack can gently ignore both UAC and Smartscreen. Both malware file and the shortcut can be dropped to the User Space (no copy alert) without 'Mark of the Web' (no Smartscreen check on the run), and executed without elevation (no UAC alert). Thanks to Microsoft, SRP will stop direct malware execution, but sadly, not indirect execution by the shortcut.
It is also interesting, that after copying the same shortcut to the System Space (for example C:\Windows) above trick does not work.
The shortcut can't run programs in user space, so executable should be moved into UAC protected folders to be succesfull (which would trigger an UAC alert). Windows 10 has closed down 'user writeable subfolders in Windows. So SRP should protect you.

upload_2016-11-2_12-55-31.png


Also I don't think secure browsers like Chrome and Edge would allow you to download files without setting the 'internet flag'. Do you have examples of websites succesfully bypassing Chrome or Edge setting the ADS Internet flag?
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
@Windows_Security
You wrote "The shortcut can't run programs in user space", so I think that we are talking about different SRP configurations. Definitely, in my setup shortcuts can run programs in User Space. o_O
Please do the simple test on your computer:
1. Create new folder in User Space.
2. Make sure that this folder is not (indirectly) whitelisted by SRP path rule.
3. Copy EXE file to this folder and make the shortcut of EXE file (in the same folder).
4. Run EXE - blocked in my case
5. Run the shortcut - EXE file not blocked.

If you whitelisted the folder with shortcuts ('Desktop' for example) , the shortcut from this folder cannot run the EXE file located in User Space.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
I added a deny "traverse folder/execute file" for Everyone in all users folders (except in Temp, because I use this to install programs from with right cluck run as Admin). ACL does (like SRP) blocks the execution also (ACL access deny messsage in Dutch)
upload_2016-11-3_7-48-7.png


Inherited ACL deny execute file/traverse folder for Everyone on newly created folder elesewhere (weigeren = deny)
upload_2016-11-3_7-52-42.png


Because I use default level Basic User with an acception for Administrator, the Temp folder is the only folder where it is possible to use right "Run as Administrator". When I click on an executable it is blocked by SRP. In UAC I have removed the Windows Installer reconition (to prevent elevation) and set UAC to block elevation of unsigned executables (so it sort of mimics the AppGuard blocking behaviour in default mode in user folders).

Messing with ACL's (Access Control List) are an easy way to brick your system, so handle with care (make a backup of ACL's first). When you don't know how to backup and restore ACL's don't mess with them!
 
Last edited:

Andy Ful

Level 45
Verified
Trusted
Content Creator
It is interesting. Your system is somewhat more restricted than mine for LNK or EXE files.
I figured out how to minimize LNK execution problem in my setup. Here are all path rules in my SRP configuration:

DISALLOWED
*.lnk

UNRESTRICTED
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
%LOCALAPPDATA%\Microsoft\Windows\WinX\Group1\*.lnk
%LOCALAPPDATA%\Microsoft\Windows\WinX\Group2\*.lnk
%LOCALAPPDATA%\Microsoft\Windows\WinX\Group3\*.lnk
%USERPROFILE%\Desktop\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*\*.lnk

I simply disallowed LNK files globally, and then whitelisted them in some folders for using 'Power Menu', 'Desktop', and 'Start Menu' shortcuts. Yet, whitelisting LNK locations has the side effect, that now I can run all scripts (BAT, CMD, JS, JSE, PS1, VBS, VBE, WSF, HTA), and configuration files (CPL, MSC, REG) in the User Space, by the shortcut in whitelisted location. This loophole can be made smaller if CMD, WSH, and PowerShell scripts are blocked by the reg tweak.
Above tweaks works in the same way on my 2 computers - Windows 10 Pro (SRP configured by Secpol) and Windows 7 Home (configured by reg hack).
I am curious how the LNK problem looks like on other computers.
 

shmu26

Level 82
Verified
Trusted
Content Creator
If Your portable programs do not update frequently the best way is to whitelist them by hash. Also, many portable applications work well in "Program Files" or "Program Files (x86)" - sometimes You need to change the folder where the application saves its settings etc. , because in above folders the Administrative Rights are needed.
Some programs are wrapped and have to use TEMP folder in the User Space to execute (most frequently it is ...\AppData\Local\Temp). Execution in the TEMP folder will be blocked by SRP, so the unwrapped file should be whitelisted by hash too. Usually, such files are quickly deleted, so utilities similar to "Moo0 FileMonitor" or Excubits MZWriteScanner may be needed to detect which files were temporary dropped to TEMP folder.
Does Moo0 work on Windows 10, and if not, is there a freeware alternative?
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 45
Verified
Trusted
Content Creator

Andy Ful

Level 45
Verified
Trusted
Content Creator
Most users quickly abandon managing files by hash. I would bet the number of users that do it is something on the order of less than 0.0001 %.
That is true. Whitelisting by hash, can be useful only for security paranoid (home) users or in the case of programs that update itself very rarely. In well updated system, whitelisting by path should be OK.
 
  • Like
Reactions: shmu26
5

509322

@Andy Ful

Unless I am not paying attention and missed something in your prior post(s)...

You have DISALLOWED *.lnk, but made UNRESTRICTED:

%USERPROFILE%\Desktop\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*\*.lnk

You disallowed *.lnk globally, but what you've whitelisted are all the entry points for malicious shortcut files - so malicious shortcuts will not be blocked.

The primary entry point is: %USERPROFILE%\Desktop\*.lnk

Malicious shortcuts are a problem much more effectively solved by disabling or restricting the processes that malicious shortcuts abuse and the directories to which those abused processes write. Whether you block writes or executions - it's one half dozen and six in the other.
 
Last edited by a moderator:

Andy Ful

Level 45
Verified
Trusted
Content Creator
@Andy Ful

Unless I am not paying attention and missed something in your prior post(s)...

You have DISALLOWED *.lnk, but made UNRESTRICTED:

%USERPROFILE%\Desktop\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*\*.lnk

You disallowed *.lnk globally, but what you've whitelisted are all the entry points for malicious shortcut files - so malicious shortcuts will not be blocked.

The primary entry point is: %USERPROFILE%\Desktop\*.lnk

Malicious shortcuts are a problem much more effectively solved by disabling or restricting the processes that malicious shortcuts abuse and the directories to which those abused processes write. Whether you block writes or executions - it's one half dozen and six in the other.
That's right. And, that is the price, that have to be paid in Windows, when one prefers usability over security.o_O
As I wrote in my previous post:
"Yet, whitelisting LNK locations have the side effects, that now I can run all scripts (BAT, CMD, JS, JSE, PS1, VBS, VBE, WSF, HTA), and configuration files (CPL, MSC, REG) in the User Space, by the shortcut in whitelisted location. This loophole can be made smaller if CMD, WSH, and PowerShell scripts are blocked by the reg tweak."
The LNK solution + blocked scripts is appropriate only for home users. It assumes that the system and software are hard to exploit by malware in the wild (updated Windows 8+), and no one bothers to make a targeted attack. In practice, it works exceptionally well, because SRP can also mitigate many exploits.
Of course, more security paranoid home user should listen to your advice, and put sponsors (cmd.exe, wscript.exe, cscript.exe, mmc.exe, mshta.exe, powershell.exe, powershell_ise.exe, regedit.exe, and many others) to SRP Black List. This is the solution known in Bouncer, NVT ERP, and other ani-exe porograms. I think about introducing such option in Hard_Configurator. But, that is a solution for users that prefer security over usability.
Windows built-in SRP assumes also, that the system can protect users against fileless exploits - which is partially true in Windows 8+ , and even more true in Windows 10.
Finally, when the home user needs the enterprise protection, then he/she can go for AppGuard.:)
 
Last edited:

Andy Ful

Level 45
Verified
Trusted
Content Creator
Windows built-in security (with SRP and hardening) is:
* good in Windows Vista;
* pretty good in Windows 7;
* very good in Windows 8 and 8.1;
* exceptionally good (but still not bullet proof) in Windows 10.

In Windows Vista and Windows 7, the users need to use additional antivirus/antimalware.
Windows with any usable security, is vulnerable to targeted attacks.
 
Last edited:
5

509322

The LNK solution + blocked scripts is appropriate only for home users.
It's appropriate for an Enterprise workstation user too as the typical worker doesn't use nor need to use them. Admins might use them - but that varies mostly with the Admin. Some use them, others don't.
 
  • Like
Reactions: Andy Ful