One of the inspirations for this blog has been sharing my research in mitigating different types of malware, or activity that can bypass mitigations and perform undesired functions. One thing that really caught my interest is the work that has been published by Casey Smith (@subTee). I found his work on using obscure functions of whitelisted applications to download code from the internet and execute it particularly interesting. For an example, see http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html.
I decided to take a stab at this. My first attempt was to use a technology I was familiar with to see if I could prevent the applications from using the internet to download code. I knew that the ASR mitigation in EMET could limit access to DLLs for an application, and based off of other ASR work I had done I suspected that a DLL was used in the network transaction at some point so I started pursuing this path. A coworker was able to set up a web server that had a customized version of subTee's regsvr32 download payload. Armed with a working example and Process Monitor with a filter to show DLLs (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx) I went to work.
After a little work I was able to narrow down 2 DLLs that I think would work. Previous examples on Twitter targeted the example DLL but were easily bypassed (https://twitter.com/thechrisharrod/status/725713658848882688) because it only blacklisted one DLL that was not required for the download to execute. After some digging with Process Monitor I found out that the two DLLs that seemed to be the best matches were winhttp.dll and webio.dll. I don't know a whole lot about the DLLs themselves but my theory is that winhttp.dll was used to gather any proxy server settings (learned this from my time spent managing a proxy server) and webio.dll was used when making the actual web calls. If either of these were blocked with ASR I was able to get EMET to prevent regsvr and other applications from using the internet. WinHTTP appeared to have the best logging with the EMET blocks, so I targeted that, and it worked!!!
I began testing the mitigation for a few apps that had documented bypasses that used the internet that I thought had no business using it. After only a few hours of testing I knew that while effective, this was not going to work at scale. Simply put several of these applications were using these DLLs for internal network communications as well as for legit internet activity (who knew rundll32 was used to check OCSP?). My goal was to limit these, but to also grow into things more likely to use the internet like PowerShell, cscript, wscript, and mshtml. I had a tool that was effective, but it wasn't granular enough to allow some approved access and block the rest. It was effective, but only on or off.
So, I was back to the drawing board with a network on/off switch in my back pocket. After a few more weeks of work and thinking I found something that had potential, but I am out of time for now... so I will plan to address that on my next post. Maybe at some point in the future this will come in handy, only time will tell. I will see if I can get a video demonstrating the EMET mitigation posted at some point.
Until then, work hard and spend time with your family.