Respect: Windows 10 security impresses hackers

Windows is a popular attack target for criminals and researchers alike, but Microsoft has done a good job of making it harder to target security flaws in the OS

So long as Windows remain a popular attack target, researchers and hackers will keep pounding the platform to uncover advanced strategies to subvert Microsoft's defenses.

The bar for security is much higher than it used to be, as Microsoft has added multiple advanced mitigations in Windows 10 that take out entire classes of attacks. While hackers at this year’s Black Hat conference came armed with sophisticated exploitation techniques, there was tacit recognition that developing a successful technique is now much harder with Windows 10. Breaking into Windows through an OS vulnerability is harder than it was even a few years ago.

Use built-in antimalware tools

Microsoft has developed antimalware scan interface (AMSI) tools that can catch malicious scripts in memory. Any application can call it, and any registered antimalware engine can process the content submitted to AMSI, said Nikhal Mittal, penetration tester and associate consultant with NoSoSecure, to attendees at his Black Hat session. Windows Defender and AVG currently use AMSI, and it should become more widely adopted.

“AMSI is a big step toward blocking script-based attacks in Windows,” Mittal said.

Cybercriminals increasingly rely on script-based attacks, especially those that execute on PowerShell, as part of their campaigns. It's tough for organizations to discover attacks using PowerShell because they're hard to differentiate from legitimate behavior. It's also difficult to recover because PowerShell scripts can be used to touch any aspect of the system or network. With practically every Windows system now preloaded with PowerShell, script-based attacks are becoming much more common.

Criminals started using PowerShell and loading scripts in memory, but it took the defenders a while to catch on. “No one cared about PowerShell until a few years back,” Mittal said. “Our scripts are not getting detected at all. Antivirus vendors have only in the past three years embraced it.”

While it's easy to detect scripts saved on disk, it’s not so easy to stop scripts saved to memory from executing. AMSI tries to catch scripts at the host level, which means the input method -- whether saved on disk, stored in memory, or launched interactively -- doesn’t matter, making it a “game changer,” as Mittal said.

However, AMSI can’t stand alone, as the usefulness relies on other security methods. It's very difficult for script-based attacks to execute without generating logs, so it’s important for Windows administrators to regularly monitor their PowerShell logs.

AMSI isn’t perfect -- it's less helpful detecting obfuscated scripts or scripts loaded from unusual places like WMI namespace, registry keys, and event logs. PowerShell scripts executed without using powershell.exe (tools such as network policy server) can also trip up AMSI. There are ways to bypass AMSI, such as changing the signature of scripts, using PowerShell version 2, or disabling AMSI. Regardless, Mittal still considers AMSI “the future of Windows administration.”

Protect that Active Directory

Active Directory is the cornerstone of Windows administration, and it’s becoming an even more critical component as organizations continue moving their workloads to the cloud. No longer used to handle authentication and management for on-premises internal corporate networks, AD can now help with identity and authentication in Microsoft Azure.

Windows administrators, security professionals, and attackers all have different perspectives of Active Directory, Sean Metcalf, a Microsoft Certified Master for Active Directory and founder of security company Trimarc, told Black Hat attendees. For the administrator, the focus is on uptime and ensuring AD responds to queries within a reasonable window. Security professionals monitor Domain Admin group membership and keep up with software updates. The attacker looks at the security posture for the enterprise to find the weakness. None of the groups has the complete picture, Metcalf said.

All authenticated users have read access to most, if not all, objects and attributes in Active Directory, Metcalf said during the talk. A standard user account can compromise an entire Active Directory domain because of improperly granted modify rights to domain-linked group policy objects and organizational unit. Via custom OU permissions, a person can modify users and groups without elevated rights, or they can go through SID History, an AD user account object attribute, to gain elevated rights, Metcalf said.

If Active Directory is not secured, then AD compromise becomes even more likely.

Metcalf outlined strategies to help enterprises avoid common mistakes, and it boils down to protecting administrator credentials and isolating critical resources. Stay on top of software updates, especially patches addressing privilege-escalation vulnerabilities, and segment the network to make it harder for attackers to move through laterally.

Security professionals should identify who has administrator rights for AD and to virtual environments hosting virtual domain controllers, as well as who can log on to domain controllers. They should scan active directory domains, AdminSDHolder object, and group policy objects (GPO) for inappropriate custom permissions, as well as ensure domain administrators (AD administrators) never log into untrusted systems such as workstations with their sensitive credentials. Service account rights should also be limited.

Get AD security right, and many common attacks are mitigated or become less effective, Metcalf said.

Virtualization to contain attacks

Microsoft introduced virtualization-based security (VBS), a set of security features baked into the hypervisor, in Windows 10. The attack surface for VBS is different from that of other virtualization implementations, said Rafal Wojtczuk, chief security architect at Bromium.

“Despite its limited scope, VBS is useful -- it prevents certain attacks that are straightforward without it,” Wojtczuk said.

Hyper-V has control over the root partition, and it can implement extra restrictions and provide secure services. When VBS is enabled, Hyper-V creates a specialized virtual machine with a high trust level to execute security commands. Unlike other VMs, this specialized machine is protected from the root partition. Windows 10 can enforce code integrity of user-mode binaries and scripts, and VBS handles kernel-mode code. VBS is designed to not allow any unsigned code from executing in the kernel context, even if the kernel has been compromised. Essentially, trusted code running in the special VM grant execute rights in the root partition’s extended page tables (EPT) to pages storing signed code. Since the page can’t be both writeable and executable at the same time, malware can’t enter kernel mode that way.

Since the whole concept hinges on the ability to keep going even if the root partition has been compromised, Wojtczuk examined VPS from the perspective of an attacker who has already broken into the root partition -- for example, if an attacker bypasses Secure Boot to load a Trojanized hypervisor.

“The security posture of VBS looks good, and it improves the security of a system -- certainly it requires additional highly nontrivial effort to find suitable vulnerability allowing the bypass,” Wojtczuk wrote in the accompanying white paper.

Existing documentation suggests Secure Boot is required, and VTd and Trusted Platform Module (TPM) are optional for enabling VBS, but that isn’t the case. Administrators need to have both VTd and TPM to protect the hypervisor against a compromised root partition. Simply enabling Credential Guard isn’t enough for VBS. Additional configuration to ensure that credentials don’t show up in the clear in the root partition is necessary.

Microsoft has put in a lot of effort to make VBS as secure as possible, but the unusual attack surface is still cause for concern, Wojtczuk said.

The security bar is higher

The breakers, which includes criminals, researchers, and hackers interested in seeing what they can do, are engaged in an elaborate dance with Microsoft. As soon as the breakers figure out a way to bypass Windows defenses, Microsoft closes the security hole. By implementing innovative security technology to make attacks harder, Microsoft forces breakers to dig deeper to get around them. Windows 10 is the most secure Windows ever, thanks to those new features.

The criminal element is busy at work, and the malware scourge doesn’t show signs of slowing down soon, but it’s worth noting that most attacks nowadays are the result of unpatched software, social engineering, or misconfigurations. No software applications can be perfectly bug-free, but when the built-in defenses make it harder to exploit existing weaknesses, that is a victory for the defenders. Microsoft has done a lot over the past few years to block attacks on the operating system, and Windows 10 is the direct beneficiary of those changes.

Considering that Microsoft beefed up its isolation technologies in Windows 10 Anniversary Update, the road to successful exploitation for a modern Windows system looks even tougher.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftWindows 10

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place