search

Neo23x0 / Raccine

A Simple Ransomware Vaccine
The Unlicense
947 stars 122 forks source link

Hardening suggestions #96

Open JohnLaTwC opened 4 years ago

JohnLaTwC commented 4 years ago

Some suggestions for the windows hardening script:

Block remote commands

Disable DCOM See (https://docs.microsoft.com/en-us/windows/win32/com/enabledcom)

REG.EXE ADD HKEY_LOCAL_MACHINE\Software\Microsoft\OLE /v EnableDCOM /t REG_SZ /d N /F

Block remote use of PSEXEC and similar tools that remotely install a temporary service.

See (https://twitter.com/JohnLaTwC/status/802218490404798464)

Reconfigure the security descriptor on the Service Control Manager endpoint to deny this right to remote users (S-1-5-2). This is not a service itself, but rather the SCM endpoint that PSEXEC and other tools must communicate with to call ChangeServiceConfig and related APIs. Adding a Deny ACE for NETWORK prevents remote use of this API while not interfering with local usage (by installers and local management tools).

See (https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-changeserviceconfiga)

In a batch file, add a Deny ACE to the existing SCM ACL:

FOR /F "usebackq tokens=2 delims=:" %%a IN (`sc.exe sdshow scmanager`) DO  sc.exe sdset scmanager D:(D;;0x00040002;;;NU)%%a

This results in an ACL like the following. Note ACE number zero:

viewsddl svc D:(D;;DCWD;;;NU)(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

+ ACE[ 0]  : Deny : NT AUTHORITY\NETWORK 0x00040002   <<<<<< deny network SID
+   Perms : ( ChangeConf WDac )             <<<<<< deny ChangeConfig and WriteDACL permission 
+   Inher : ( )

ACE[ 1]  : Allow : NT AUTHORITY\Authenticated Users 0x00000001
   Perms : ( QueryConf )
   Inher : ( )

ACE[ 2]  : Allow : NT AUTHORITY\INTERACTIVE 0x00020015
   Perms : ( QueryConf QueryStat Start RCtl )
   Inher : ( )

ACE[ 3]  : Allow : NT AUTHORITY\SERVICE 0x00020015
   Perms : ( QueryConf QueryStat Start RCtl )
   Inher : ( )

ACE[ 4]  : Allow : NT AUTHORITY\SYSTEM 0x00020035
   Perms : ( QueryConf QueryStat Start Stop RCtl )
   Inher : ( )

ACE[ 5]  : Allow : BUILTIN\Administrators 0x000F003F
   Perms : ( QueryConf ChangeConf QueryStat EnumDeps Start Stop Del RCtl WDac WOwn )
   Inher : ( )

ACE[ 6]  : Allow : Package\S-1-15-2-1 0x00000001
   Perms : ( QueryConf )
   Inher : ( )

ACE[ 7]  : Allow : (null)\S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205 0x00000001
   Perms : ( QueryConf )
   Inher : ( )

SACL[ 0]  : Sacl : \Everyone 0x000F003F
   Perms : ( QueryConf ChangeConf QueryStat EnumDeps Start Stop Del RCtl WDac WOwn )
   Inher : ( Fail )

SACL[ 1]  : Sacl : \Everyone 0x10000000
   Perms : ( GenericAll )
   Inher : ( ObjectInherit InheritOnly Fail )

And add mshta.exe to the list:

Netsh.exe advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any

Some more fodder for future ideas by consulting this LOLBAS/BIN list:

(https://twitter.com/bohops/status/1322906881862602754)

SwiftOnSecurity commented 3 years ago

=0