Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114110962209153447">Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:15 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114105225709232478" rel="in-reply-to">in reply to</a></div></section><article><p>If we test with our own custom WDAC rules, we can confirm that all of the <a href="https://learn.microsoft.com/en-us/powershell/module/configci/new-cipolicy?view=windowsserver2025-ps#:~:text=l-,Accepted%20values%3A,FilePath%2C%20SignedVersion%2C%20PFN%2C%20Publisher%2C%20FilePublisher%2C%20LeafCertificate%2C%20PcaCertificate%2C%20RootCertificate%2C%20WHQL%2C%20WHQLPublisher%2C%20WHQLFilePublisher,-Position%3A" rel="nofollow">allowed properties to block</a> by are indeed obeyed by Windows.  Specifically:<br>Hash, FileName, FilePath, SignedVersion, PFN, Publisher, FilePublisher, LeafCertificate, PcaCertificate, RootCertificate, WHQL, WHQLPublisher, WHQLFilePublisher</p><p>When we test these blocking techniques individually, they all seem to work fine. Including blocking by signing cert (FilePublisher). So this suggests that WDAC blocking by signing cert is not broken, but rather there's something broken about the <a href="https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules" rel="nofollow">Microsoft recommended driver block rules</a> list when it's not enforced by HVCI.</p><p>However, in the process of testing individual blocking techniques, I've discovered a third vulnerability. On a system that is successfully using the FilePath WDAC blocking directive, if I enable HVCI, that block will suddenly stop blocking.</p><p>That is, while turning on HVCI is a wise move across the board, this is a specific case where having HVCI enabled is ironically less secure than having it off. The Microsoft recommended driver block rules doesn't have any entries based on FilePath, so this block list is unaffected by this problem. But surely there's somebody out there with FilePath block rules that is unknowingly missing protection on systems with HVCI enabled.</p><p>To eliminate variables, I got these screenshots by starting with a system that has a working FilePath WDAC block enabled, and simply enabled HVCI on that same system. The mere act of enabling HVCI on a system causes a working FilePath rule to stop working.</p><p>It truly is bugs all the way down, but just to summarize what we've discovered after pulling a thread about blocked drivers not being blocked:</p><ol><li>If HVCI is off, then the Microsoft recommended driver block rules list will not block any entries that are present based on signing certificate (FilePublisher)</li><li>The driver block list that you get by enabling the "Microsoft Vulnerable Driver Blocklist" feature in windows is not merely delayed (Microsoft reports that it's updated 1-2 times per year) from the <a href="https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules" rel="nofollow">public list</a>, but more importantly it's a different list that you get. (Further investigation in how it differs is required)</li><li>If HVCI is on, any FilePath-based blocks will be ignored.</li></ol></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4828178#notice-9456048">In conversation</a><time datetime="2025-04-02T03:02:15+09:00" title="Wednesday, 02-Apr-2025 03:02:15 JST">about 12 days ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114110962209153447" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114110962209153447">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/1246177">Untitled attachment</a></label><br></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4399359">With HVCI off, FilePath WDAC blocking rules work</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/110/895/311/180/153/original/4a92c1028eb3d0e0.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/110/895/311/180/153/original/4a92c1028eb3d0e0.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4399360">If HVCI is enabled, the once-working FilePath blocking rule stops working</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/110/956/465/350/165/original/959227f089d938d2.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/110/956/465/350/165/original/959227f089d938d2.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4399361">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 02-Apr-2025 03:02:15 JST Will Dormann
in reply to
If we test with our own custom WDAC rules, we can confirm that all of the allowed properties to block by are indeed obeyed by Windows. Specifically:
Hash, FileName, FilePath, SignedVersion, PFN, Publisher, FilePublisher, LeafCertificate, PcaCertificate, RootCertificate, WHQL, WHQLPublisher, WHQLFilePublisher
When we test these blocking techniques individually, they all seem to work fine. Including blocking by signing cert (FilePublisher). So this suggests that WDAC blocking by signing cert is not broken, but rather there's something broken about the Microsoft recommended driver block rules list when it's not enforced by HVCI.
However, in the process of testing individual blocking techniques, I've discovered a third vulnerability. On a system that is successfully using the FilePath WDAC blocking directive, if I enable HVCI, that block will suddenly stop blocking.
That is, while turning on HVCI is a wise move across the board, this is a specific case where having HVCI enabled is ironically less secure than having it off. The Microsoft recommended driver block rules doesn't have any entries based on FilePath, so this block list is unaffected by this problem. But surely there's somebody out there with FilePath block rules that is unknowingly missing protection on systems with HVCI enabled.
To eliminate variables, I got these screenshots by starting with a system that has a working FilePath WDAC block enabled, and simply enabled HVCI on that same system. The mere act of enabling HVCI on a system causes a working FilePath rule to stop working.
It truly is bugs all the way down, but just to summarize what we've discovered after pulling a thread about blocked drivers not being blocked:
1. If HVCI is off, then the Microsoft recommended driver block rules list will not block any entries that are present based on signing certificate (FilePublisher)
2. The driver block list that you get by enabling the "Microsoft Vulnerable Driver Blocklist" feature in windows is not merely delayed (Microsoft reports that it's updated 1-2 times per year) from the public list, but more importantly it's a different list that you get. (Further investigation in how it differs is required)
3. If HVCI is on, any FilePath-based blocks will be ignored.
In conversationabout 12 days ago from infosec.exchangepermalink
Attachments

Public

Embed Notice

HTML Code

Corresponding Notice