About UAC Guard
This is just a POC combining a number of side-projects that I have worked on over the past few years. Feel free to get in touch on LinkedIn or Twitter to discuss. BTW, I just happened to own this domain and decided to use it. UAC wasn't the primary focus, but still something that had to be addressed.
Sophisticated malware families typically employ a combination of techniques to achieve their objectives. In this context, we will focus on Execution and Privilege Escalation, on Windows.
A common technique to evade detection involves injecting and executing code into legitimate processes, typically writing to a process’s memory and/or causing it to load a malicious DLL.
The primary targets are operating system files, as they are guaranteed to be present on the victim’s endpoint.
In recent versions of Windows, every single(*) file that is shipped as part of the operating system is digitally signed. Therefore, there should be no reasons for a Windows executable to load an untrusted DLL - ever.
This should not need something that needs to be "detected". It should be enforced by the OS by default.
Process Mitigation Policies to control Image Loading and Binary Signature can be applied to mitigate some of these techniques. The main limitation is that Binary Image policies apply generically to "Microsoft" code and they cannot be customized nor extended to other vendors. Process Mitigation Policies also require you to identify all operating system files and write policies for all of them.
UAC Guard protects all Windows executables by preventing them from loading non-Windows DLLs. It consists of a kernel driver that intercepts both process creation and DLLs loading and checks their characteristics. In this context, Windows executable/DLL means a digitally signed binary file that is shipped as part of the operating system with specific Enhanced Key Attributes included in its certificate(s) as shown below.
UAC presents a challenge, as if one can easily gain Adinistrative privileges, it's game over. It is thus important to prevent the execution of known UAC bypasses to make this solution effective.
- Single Policy: Audit or Enabled
- Restricts Windows executable to only loading Windows and Microsoft DLLs.
- Prevents non-Windows processes from writing to Windows processes' memory.
- Blocks known UAC Privilege Escalation attempts.
- Prevent Process Hollowing, Doppelgaenging, Herpaderping, etc.
The POC is a self-contained kernel driver for Windows 10+. The driver leverages Code Integrity and caches information on NTFS, inaccessible to user mode applications.
The POC takes also into account security solutions that might inject their own DLL(s) into user mode processes. This is accomplsihed by a simple certificate white-list. The mechanism can be easily extended to cover applications such as Office, Acrobat Reader, etc.
We believe that there is the need for better OS "defaults" to reduce the attack surface area. These safe default are effective in disrupting common attack patterns that often precede ransomware deployment.
- Support for popular applications like Office and Acrobat Reader
- Support for a generic policy
- Prevent Microsoft scripting DLLs from being loaded into other applications
- Prevent loading of lol drivers
- Prevent lol bins from gaining administative privileges
(*) With the exception of Native Images.