Friday, November 20, 2015

Windows10 Security



http://video.ch9.ms/sessions/ignite/2015/BRK2308.mp4

Starting powerpoint from cmd line
> bp user32!setwindowstextw "ezu @eax \"Untitled:Powerpoint\" ;bd*;gc"
>g

1) Tokens / Elevated Tokens

Launch two cmd prompt one as normal user and other as admin and run
> whoami /all
This would give you your SID.

Once we login, WinLogon will give us an elevated access
Then a Second token which is filtered
Then create a process called explorer.exe using the filtered token mentioned above.

Elevation process uses Shell Execute API.  This will called in "AppInfo Service" if this is turned off we cannot elevate our rights.  This in turn would invoke consut.exe.

The elevation is driven by "Local Group Policy Editor" under Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.  Now that we are here if we scroll down way down we get to all the "User Account Control: **********".

UAC master switch is controlled by "User Account Control: Run all administrators in Admin Approval Mode"

The two most important things which we need to be worried about are
"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"
"User Account Control: Behavior of the elevation prompt for standard users"

In Windows we have a collection of "Logon Sessions" which contains a collection of "Desktops" which contains a collection of "Windows" which can again contain a collection of "windows".

MSRA.exe is Microsoft Remote Assistance the one which looked similar to conf remember ???

Microsoft Application Compatibility Administrator Tool - This is a part of Application Compatibility Toolkit.  This is hidden inside the Windows ADK (Assessment and Deployment Kit) 5.61 we will get the Kernel one.

Double clicking on Setup we have *Setup*
Under update we have *Update*
Under Installer Detection we have *instal*
Under Patch we have *patch*

Under "Compatibility Fixes" We have something called as "RunAsAdmin", "RunAsHightest" and "RunAsInvoker".
We also have something called as "SpecificInstaller" and "SpecificNonInstaller".

When we launched "whoami /all" we can see something called as "Medium Mandatory level" that comes into play when we have the situation of do we trust all our apps to the same degree ?

"S-1-16-8192"
"S-1-16" is the Integrity
8192 is the Level, This is a 32 bit number which determines the integrity level.

psexec -l -d c:\Windows\SysWOW64\notepad.exe

The -l on psexe would execute notepad as a low integrity process.  This would even prevent notepad from writing to the user home directory as whom we launched the notepad process as.

chml is a change integrity level tool.  To change a file to low integrity file use the command as follows.

chml file.txt -b 0-i:ll

Let us launch an application called "Microsoft Spy++" which is distributed as part of visual studio.  This will show us how many windows are launched on our system.

2) Integrity Levels

3) User Interface Privilege Isolation.

4) Capabilities (New in Win 8 and Win 10)

5) App Containers