1. Payload Delivery > Code-Execution (Type 1)

1. Payload Delivery > Code-Execution (Type 1)

Assign
Date
Status
Completed
Property

Background

What's the point with that Code-Execution model, one might ask? Just a backstory as to why OpenEDR was developed. Almost 4 years ago, I started a small squad of Test-&-Evaluation engineers. We were figuring out how to evaluate COTS "security" products. During our malware sandbox evaluation, I noticed this fetish for EXEs which got me asking: "are you sure that this is the only way to run malicious codes?". That got me looking at AppLocker (or any App-Whitelisting) evasion, which was the pre-cursor to what is known as Living-off-the-Land that we often see today.
So when I read reports like https://www.bleepingcomputer.com/news/security/fbi-conti-ransomware-attacked-16-us-healthcare-first-responder-orgs/. First thing first is to take the malware name, then append " technical analysis" to the name & GOOGLE. You will likely find CarbonBlack or Vipre's analysis as the first two results. From the latter, you see that there is a conti.exe in one of their screenshots. At this point, I will not be bothered & can confidently conclude that OpenEDR will disrupt this attack-flow without spending so much time into the details, unless the report states possibility of remotely injection without touching the disks.
This is the benefit of such a mental model, it saves you time & energy to zoom into the pertinent details.

Resources

YJ's Findings

Running a Type 1 file (Foreign Compiled Files)

OpenEDR blocks the execution of Type 1 files e.g. executable/dll files. This is shown when I tried to run an executable file on the Windows VM:
notion image
Below are my attempts to bypass this app control method:
*Side note: I am using 7-Zip.exe for my attempts.

Attempt 1: Run the executable file without exe extension using command prompt

Step 1: Change the file extension from .exe to .notexe
notion image
Step 2: Run the file using cmd
notion image
*Side note: Had to run cmd as administrator. Normal cmd was unable to run the file (It will ask how do you want to run the file).
Result: Unsuccessful attempt. 7-Zip installer opened for like half a second before automatically closing.
notion image

Attempt 2: Change file ownership

Right click on file → Properties → Security → Advanced
notion image
Select Change
notion image
Under "Enter the object name to select", type in the name of the user/group that you want to switch the file ownership to. In this case, I selected to switch the ownership to Administrators group. Select Check Names to confirm that it exists. Once done, select OK.
notion image
We can see that the owner of the file has changed from User to Administrators.
notion image
Now, try running the executable file.
Result: Successful attempt. I was able to run 7Zip.exe after changing the file ownership.
notion image
Other things that I've tried:
  • Tried changing ownership to SYSTEM and was able to run exe file
  • Tried changing ownership to Administrator (not Administrators) but was unable to run exe file
  • Gave full control permissions for User account but was unable to run exe file
 
Next, I tested using another exe file i.e. FirefoxInstaller.exe.
Result: After changing file ownership to Administrators, I was unable to run the exe file. Unlike with 7-Zip, an additional step was required i.e. I had to change the exe file extension to a different extension e.g. .notexe for it to work
notion image
I tested using another exe file i.e. WinZip.exe
Result: Only required to change file ownership to Administrators to run the exe file.
 
*Note: Changing file ownership requires the user to have administrative rights. The default account provided in the Windows VM is a member of Administrators group, hence why I was able to change the ownership. Using a standard user account will result in UAC credentials prompt as shown below:
notion image

Conclusion

Changing the file ownership to Administrators/SYSTEM group and changing the exe extension to a different extension is needed to run Type 1 files. Changing the file ownership to SYSTEM or other whitelisted user/groups is to evade post-execution detection whereas changing the extension is to evade ACL denial step. However, one criteria to achieve this is to have elevated rights in the first place.