UAC Guard
UAC Guard is a research project that aims to prevent all known forms of code injections and - ehm - Local Privilege Elevation. The default policy protects all Windows inbox executables from sideloading non-Windows DLLs. A Windows binary, in this context, is a signed file whose certificate contains specific Enhanced Key Usage values.
Background
Sophisticated malware families typically employ a combination of techniques to achieve their objectives. In this context, we will focus on Execution and Privilege Escalation, on Windows.
A common technique to evade detection involves injecting and executing code into legitimate processes, typically writing to a process’s memory and/or causing it to load a malicious DLL.The primary targets are operating system files, as they are guaranteed to be present on the victim’s endpoint.
In recent versions of Windows, every single(*) file that is shipped as part of the operating system is digitally signed. Therefore, there should be no reasons for a Windows executable to load an untrusted DLL - **ever**.This should not need something that needs to be "detected". It should be enforced by the OS by default.
Process Mitigation Policies to control Image Loading and Binary Signature can be applied to mitigate some of these techniques. The main limitation is that Binary Image policies apply generically to "Microsoft" code and they cannot be customized nor extended to other vendors. Process Mitigation Policies also require you to identify all operating system files and write policies for all of them.UAC Guard
UAC Guard protects all Windows executables by preventing them from loading non-Windows DLLs. It consists of a kernel driver that intercepts both process creation and DLLs loading and checks their characteristics. In this context, Windows executable/DLL means a digitally signed binary file that is shipped as part of the operating system with specific Enhanced Key Attributes included in its certificate(s) as shown below.
Features
- Single Policy: Audit or Enabled
- Restricts Windows executable to only loading Windows and Microsoft DLLs
- Prevents non-Windows processes from writing to Windows processes' memory
- Blocks known UAC Privilege Escalation attempts
- Prevent Process Hollowing, Doppelgaenging, Herpaderping, etc.
Proof of Concept
The POC is a self-contained kernel driver for Windows 10+.
The driver leverages Code Integrity and caches information on NTFS, inaccessible to user mode applications.The POC takes also into account security solutions that might inject their own DLL(s) into user mode processes. This is accomplsihed by a simple certificate white-list. The mechanism can be easily extended to cover applications such as Office, Acrobat Reader, etc.
Why
I believe that there is the need for better OS "defaults" to reduce the attack surface area. These safe default are effective in disrupting common attack patterns that often precede ransomware deployment.Possible extensions:
- Support for popular applications like Office and Acrobat Reader
- Support for a generic policy
- Prevent Microsoft scripting DLLs from being loaded into other applications
- Prevent loading of lol drivers
- Prevent lol bins from gaining administative privileges
- etc.
(*) With the exception of Native Images.