none
AppLocker, file hash, and blocking executables you don't have RRS feed

  • Question

  • So, Applocker, IOCs and malware. It's good we can get IOCs for known malware, and good that we can block executables etc by hash. Except, it's not that easy, is it MS?

    Because, MS demand you point the AppLocker tool at a copy of the malware, so it can calculate its authenticode hash and add it to the policy. But if you're not really wanting to go out of your way to download the malware (the right one, of course) and point the GUI at it, you're stuffed !

    So, being crafty, I thought "I'll export the Applocker policy to XML, and hand-edit in my own hash file entries!". But... the IOCs we receive from our vendor (and such as you'll find on virustotal) do not include an authenticode hash - only MD5, SHA1 and SHA256 typically. Despite it saying "SHA256" in the XML, it's not - it's an authenticode hash and of course theses don't translate to SHA256.

    So, how do we generate an authenticode hash for an executable we don't have, but want to pre-emptively block anyway?

    I thought I'd be smart in that perhaps if the EXE wasn't digitally signed, then it would fall back on a SHA256 hash or something, but a quick test with my own unsigned EXE proved that AppLocker generated an authenticode hash anyway.

    Anyone got any ideas how to get round this ridiculous limitation? Seems a dumb way to go about it - you can only block executables you already have a copy of....

    The absolute nearest I can get to this is searching virustotal for the SHA256/MD5 etc as provided by our vendor, and seeing/hoping it has been scanned, in which case I can get the Authenticode hash from there. This of course depends on it being in virustotal database.

    My test executable https://www.virustotal.com/gui/file/3c5bfd93f1e8ab07b85ed7288d32fa3c4ba63419c6fd8d561b7708dea4c15044/details

    Virustotal reports:
    SHA-256 3c5bfd93f1e8ab07b85ed7288d32fa3c4ba63419c6fd8d561b7708dea4c15044
    Authentihash 813bc939d3667a1890d0b982bb5e4667fe95b6275465fdface78ccc1220eab88

    AppLocker cmdlet matches the Authentihash at VT
    Get-AppLockerFileInformation c:\temp\test.exe | select hash
    SHA256 0x813BC939D3667A1890D0B982BB5E4667FE95B6275465FDFACE78CCC1220EAB88

    And this matches the SHA256 at VT
    Get-filehash C:\temp\test.exe -Algorithm sha256
    SHA256          3C5BFD93F1E8AB07B85ED7288D32FA3C4BA63419C6FD8D561B7708DEA4C15044 

    edit: aware that one should approach AppLocker as a whitelisting tool, rather than blacklisting, but should the malware find itself into a whitelisted location, then it would be useful to fall back on that blacklist. If you are trying to defend against a specific malware, as we're being asked to do in this case, then blacklisting it does make sense.

      
    • Edited by andreww Wednesday, October 30, 2019 4:10 PM
    Wednesday, October 30, 2019 3:32 PM

All replies