So long as Windows remain a popular attack target, researchers and hackers will keep pounding the platform to uncover advanced strategies to subvert Microsoft's defenses.
The bar for security is much higher than it used to be, as Microsoft has added multiple advanced mitigations in Windows 10 that take out entire classes of attacks. While hackers at this year’s Black Hat conference came armed with sophisticated exploitation techniques, there was tacit recognition that developing a successful technique is now much harder with Windows 10. Breaking into Windows through an OS vulnerability is harder than it was even a few years ago.
Use built-in antimalware tools
Microsoft has developed antimalware scan interface (AMSI) tools that can catch malicious scripts in memory. Any application can call it, and any registered antimalware engine can process the content submitted to AMSI, said Nikhal Mittal, penetration tester and associate consultant with NoSoSecure, to attendees at his Black Hat session. Windows Defender and AVG currently use AMSI, and it should become more widely adopted.
“AMSI is a big step toward blocking script-based attacks in Windows,” Mittal said.
Cybercriminals increasingly rely on script-based attacks, especially those that execute on PowerShell, as part of their campaigns. It's tough for organizations to discover attacks using PowerShell because they're hard to differentiate from legitimate behavior. It's also difficult to recover because PowerShell scripts can be used to touch any aspect of the system or network. With practically every Windows system now preloaded with PowerShell, script-based attacks are becoming much more common.
Criminals started using PowerShell and loading scripts in memory, but it took the defenders a while to catch on. “No one cared about PowerShell until a few years back,” Mittal said. “Our scripts are not getting detected at all. Antivirus vendors have only in the past three years embraced it.”
While it's easy to detect scripts saved on disk, it’s not so easy to stop scripts saved to memory from executing. AMSI tries to catch scripts at the host level, which means the input method -- whether saved on disk, stored in memory, or launched interactively -- doesn’t matter, making it a “game changer,” as Mittal said.
However, AMSI can’t stand alone, as the usefulness relies on other security methods. It's very difficult for script-based attacks to execute without generating logs, so it’s important for Windows administrators to regularly monitor their PowerShell logs.
AMSI isn’t perfect -- it's less helpful detecting obfuscated scripts or scripts loaded from unusual places like WMI namespace, registry keys, and event logs. PowerShell scripts executed without using powershell.exe (tools such as network policy server) can also trip up AMSI. There are ways to bypass AMSI, such as changing the signature of scripts, using PowerShell version 2, or disabling AMSI. Regardless, Mittal still considers AMSI “the future of Windows administration.”
Protect that Active Directory
Active Directory is the cornerstone of Windows administration, and it’s becoming an even more critical component as organizations continue moving their workloads to the cloud. No longer used to handle authentication and management for on-premises internal corporate networks, AD can now help with identity and authentication in Microsoft Azure.
Windows administrators, security professionals, and attackers all have different perspectives of Active Directory, Sean Metcalf, a Microsoft Certified Master for Active Directory and founder of security company Trimarc, told Black Hat attendees. For the administrator, the focus is on uptime and ensuring AD responds to queries within a reasonable window. Security professionals monitor Domain Admin group membership and keep up with software updates. The attacker looks at the security posture for the enterprise to find the weakness. None of the groups has the complete picture, Metcalf said.
All authenticated users have read access to most, if not all, objects and attributes in Active Directory, Metcalf said during the talk. A standard user account can compromise an entire Active Directory domain because of improperly granted modify rights to domain-linked group policy objects and organizational unit. Via custom OU permissions, a person can modify users and groups without elevated rights, or they can go through SID History, an AD user account object attribute, to gain elevated rights, Metcalf said.
If Active Directory is not secured, then AD compromise becomes even more likely.
Metcalf outlined strategies to help enterprises avoid common mistakes, and it boils down to protecting administrator credentials and isolating critical resources. Stay on top of software updates, especially patches addressing privilege-escalation vulnerabilities, and segment the network to make it harder for attackers to move through laterally.
Security professionals should identify who has administrator rights for AD and to virtual environments hosting virtual domain controllers, as well as who can log on to domain controllers. They should scan active directory domains, AdminSDHolder object, and group policy objects (GPO) for inappropriate custom permissions, as well as ensure domain administrators (AD administrators) never log into untrusted systems such as workstations with their sensitive credentials. Service account rights should also be limited.
Get AD security right, and many common attacks are mitigated or become less effective, Metcalf said.
Virtualization to contain attacks
Microsoft introduced virtualization-based security (VBS), a set of security features baked into the hypervisor, in Windows 10. The attack surface for VBS is different from that of other virtualization implementations, said Rafal Wojtczuk, chief security architect at Bromium.
“Despite its limited scope, VBS is useful -- it prevents certain attacks that are straightforward without it,” Wojtczuk said.
Hyper-V has control over the root partition, and it can implement extra restrictions and provide secure services. When VBS is enabled, Hyper-V creates a specialized virtual machine with a high trust level to execute security commands. Unlike other VMs, this specialized machine is protected from the root partition. Windows 10 can enforce code integrity of user-mode binaries and scripts, and VBS handles kernel-mode code. VBS is designed to not allow any unsigned code from executing in the kernel context, even if the kernel has been compromised. Essentially, trusted code running in the special VM grant execute rights in the root partition’s extended page tables (EPT) to pages storing signed code. Since the page can’t be both writeable and executable at the same time, malware can’t enter kernel mode that way.
Since the whole concept hinges on the ability to keep going even if the root partition has been compromised, Wojtczuk examined VPS from the perspective of an attacker who has already broken into the root partition -- for example, if an attacker bypasses Secure Boot to load a Trojanized hypervisor.
“The security posture of VBS looks good, and it improves the security of a system -- certainly it requires additional highly nontrivial effort to find suitable vulnerability allowing the bypass,” Wojtczuk wrote in the accompanying white paper.
Existing documentation suggests Secure Boot is required, and VTd and Trusted Platform Module (TPM) are optional for enabling VBS, but that isn’t the case. Administrators need to have both VTd and TPM to protect the hypervisor against a compromised root partition. Simply enabling Credential Guard isn’t enough for VBS. Additional configuration to ensure that credentials don’t show up in the clear in the root partition is necessary.
Microsoft has put in a lot of effort to make VBS as secure as possible, but the unusual attack surface is still cause for concern, Wojtczuk said.
The security bar is higher
The breakers, which includes criminals, researchers, and hackers interested in seeing what they can do, are engaged in an elaborate dance with Microsoft. As soon as the breakers figure out a way to bypass Windows defenses, Microsoft closes the security hole. By implementing innovative security technology to make attacks harder, Microsoft forces breakers to dig deeper to get around them. Windows 10 is the most secure Windows ever, thanks to those new features.
The criminal element is busy at work, and the malware scourge doesn’t show signs of slowing down soon, but it’s worth noting that most attacks nowadays are the result of unpatched software, social engineering, or misconfigurations. No software applications can be perfectly bug-free, but when the built-in defenses make it harder to exploit existing weaknesses, that is a victory for the defenders. Microsoft has done a lot over the past few years to block attacks on the operating system, and Windows 10 is the direct beneficiary of those changes.
Considering that Microsoft beefed up its isolation technologies in Windows 10 Anniversary Update, the road to successful exploitation for a modern Windows system looks even tougher.