Applocker vs Local Privilege Escalation
This next test should be a straightforward Applocker win, the user will try and execute SMBGhost (2020-0796) locally. However the LPE requires Python and as it's a legitimate application it will be approved by Applocker, the question is, if Python is approved will Applocker allow the exploit to run and Injector.exe that is part of the exploit?
The attacker will be a disgruntled employee with Domain User permissions, nothing more. The Workstation will be Windows 10 x64 1909 without any patches, Firewalls and Windows Defender will be on.
In addition Python version 3 needs to be installed here.
Run the Applocker rules to ensure a clean baseline as described here. Set the rules to 'Audit', start and set the AppIDSvc to Automatic.
Before downloading the exploit and potentially dirtying 1909 I took a virtual snapshot.
The exploit was downloaded from Zecops here.
To prove the exploit SH\User executed 'poc.py' the exploit output is in the 2nd Windows with System Privileges being displayed at the bottom.
Revert the image and then update Applocker rules from 'Audit' to 'Enforce', run 'gpupdate /force' from the Run command.
Logon as SH\User and copy the exploit to somewhere accessible.
Again I executed 'poc.py' and to start with everything looked great..... then......the script called the 'injector.exe', which is part of the exploit and failed. Applocker prevented the exploit.
Here's the event log showing 'injector.exe' being prevented from running.
Without Applocker that was scarily easy-to-gain system. Had 1909 been patched the exploit would have failed. Chalk another for 'must patch' more often.
However, had this been a zero-day Applocker would have prevented the exploit as it's running under the user context. The disgruntled employee has to try harder.
Although Applocker did prevent the LPE from running it was only due to calling an unapproved .exe. The Python script did run and attempt to exploit the system. However, if the exploit had been purely Python another system would have fallen. This would have been the same had it been Powershell or some other supported type of script.
I should be happy Applocker prevented an exploit, but I don't think it's enough. I suspect Firewalls, Patching, AV etc would have failed had the attack been purely scripted targeting a zero-day or system misconfiguration. There are 2 options available, prevent Python and Powershell etc, which may not be feasible or it's time to go away and build a monitoring solution.