Applocker vs Local Privilege Escalation
This next test should be a straight forward Applocker win, the user will try and execute SMBGhost (2020-0796) locally. However the LPE requires Python and as its a legitimate application it will be approved by Applocker, the question is, if Python is approved will Applocker allow the exploit to run and Injector.exe that is part of the exploit?
The attacker will be a disgruntled employee with Domain User permissions, nothing more. The Workstation will be Windows 10 x64 1909 without any patches, Firewalls and Windows Defender will be on.
In addition Python version 3 needs to be installed here.
Run the Applocker rules to ensure a clean baseline as described here. Set the rules to 'Audit', start and set the AppIDSvc to Automatic.
Prior to downloading the exploit and potentially dirtying 1909 I took a virtual snapshot.
The exploit was downloaded from Zecops here.
To prove the exploit SH\User executed 'poc.py' the exploit output is in the 2nd Windows with System Privileges being displayed at the bottom.
Revert the image and then update Applocker rules from 'Audit' to 'Enforce', run 'gpupdate /force' from the Run command.
Logon as SH\User and copy the exploit to somewhere accessible.
Again I executed 'poc.py' and to start with everything looked great..... then......the script called the 'injector.exe', which is part of the exploit and failed. Applocker prevented the exploit.
Here's the event log showing 'injector.exe' being prevented from running.
Firstly without Applocker that was scarily easy to gain system. Had 1909 been patched the exploit would have failed. Chalk another for 'must patch' more often.
However had this been a zero day Applocker would have prevented the exploit as its running under the user context. The disgruntled employee with have to try harder.
Although Applocker did prevent the LPE from running it was only due to calling an unapproved .exe. The Python script did run and attempt to exploit the system. However if the exploit been purely Python another system would have fallen. This would have been the same had it been Powershell or some other supported type of script.
I should be happy Applocker actually prevented an exploit, but I don't think its enough. I suspect Firewalls, Patching, AV etc would have failed had the attack been purely scripted targeting a zero day or system mis-configuration. There are 2 options available, prevent Python and Powershell etc, which may not be feasible or Its time to go away and build a monitoring solution.