Thwarting Client Side attacks with Software Restriction Policy
A few weeks ago I started looking at Windows Software Restriction Policy (SRP) and using it to stop client side attacks. This is going to go over some of the options, setup and the results once enabled.
SRP is easy to setup via Group Policy Object (GPO). Inside GPO editor create New Software Restriction Policy. Once create the default will be setup. You can look around to see basic options. Here is my tested setup.
Enforcement: Select "All Software files" and "All users except local administrators"
Under Designated File types: Remove type LNK - this will make sure that shortcuts placed outside of the designated execution directories will run. When I initially tested what I thought would work none of the shortcuts on the toolbar or desktop would launch an application and I found this to be the issue.
Ignore trusted publishers, this is used if we are limiting applications based on the certificate authority.
Select "Additional Rules"
The default execution directories will be selected.
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Since mine is 64bit Windows I added
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%
Security level for these are all going to be "Unrestricted" I want them to be able to execute as normal.
Now back under "Security Levels" the default setting is Unrestricted, since we are changing users over to defined execution directories I want to set anything not specifically allowed in the Additional Rules section to "Disallowed." So we change the default to Disallowed.
Save this and run gpupdate /force on the target machine.
Now to test a client side attack using SET. I am going to use the java attack method. 1 -> Social-Engineering Attacks, 2 -> Website Attack Vectors, 1 -> Java Applet Attack Method, 1 -> Web Templates, 1 -> Java Required, 2 -> Windows Reverse_TCP Meterpreter, 16 -> Backdoored Executable - Enter port of listener (default 443)
Fire it up and wait till it starts the payload handler.
Once the handler is started you are ready to test the attack. Go ahead and run the unsafe java applet.
You will notice that the the site is responding but the java applet is unable to execute the payload.
After attempting this and being successful, I tried running SET with PowerShell Injection and to my surprise the attack succeeded. I realized with PowerShell the payload was running from the C:\Windows\sysWOW64\WindowsPowerShell directory which by default is explicitly allowed. To defeat this attack I added the path to the list of Additional Rules and set it to "Basic User", retested the attack with PS Injection and the attack failed as expected. I tested this with multiple payloads and encoding methods and everyone of them did not result in a successful attack.
I ran two other tests, the first was using EXE embedded PDF and an older version of Adobe Reader (9.3). SRP was able to successfully stop this attack.
Finally I tested a physical attack using a USB Rubber Ducky Human Interface Device (HID) from the folks over at hak5 (www.hak5.com). I used a great little payload generator found over on google code (https://code.google.com/p/simple-ducky-payload-generator/ ) It is pretty slick and simple, I used a meterpreter powershell injection payload that didn't attempt to elevate privileges. SRP was able to successfully stop this attack. If the user had admin privileges and entered in creds in the UAC window it would have worked since I allow Local Admins unrestricted access.
In Production the are likely other directories where code needs to execute, those will need to be added to the allow list. As the config is done, administrators will be able to bypass these rules for installation of software etc. Administrators will also need to ensure that ACLs are properly set since a curious user could move executables into the approved directories and run them. While this is like a bit tough to implement in a very large organization this is a very effective method for stopping client side attacks.
To find other executable directories in use in your environment enable SRP with defaults (fully unrestricted) and set the following registry key:
"HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
String Value: LogFileName, <path to log file>
This will log the executable and the directory it was run from a little data mining can determine were applications need to execute from. Also Inventory Collector from Application Compatibility toolkit can assist in this task.
Update:
One PDC reader noted that the configuration would allow a PowerShell attack from SET to work on 32bit systems since the path on 32bit is C:\Windows\System32\WindowsPowerShell - Also this directory exists on 64bit machines as well, a modification to the SET Payload could allow the attack to succeed.
A fix for this is to also add "C:\Windows\System32\WindowsPowerShell" to the locked down policy under "Additional Rules"
This methods above would work for the given attack vector, there may be other vectors that need additional rules depending on the environment.
-Greg
Paul also found 