![]() While hunting, I came across an interesting directory structure that contained diagnostic scripts located at the following ‘parent’ path: %systemroot%\diagnostics\system\ AppLocker, Device Guard, AMSI, Powershell ScriptBlock Logging, PowerShell Constraint Language Mode, User Mode Code Integrity, HIDS/anti-virus, the SOC, etc.), looking for ways to deceive, evade, and/or bypass security solutions have become a significant component of the ethical hacker’s playbook. With increased client-side security, awareness, and monitoring (e.g. If you are troubleshooting AppLocker the Errors in the event log for the 2 PSScriptPolicyTest scripts with the file hash 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B can be safely ignored.Last week, I was hunting around the Windows Operating System for interesting scripts and binaries that may be useful for future penetration tests and Red Team engagements.Do NOT allow them (whitelist) in AppLocker since this will circumvent the Constraint mode security feature._PSScriptPolicyTest*.ps1/psm1 files are used to determine which Language Mode PowerShell will run in. ![]() Now it was back to the expected setting again. After the GPO had been updated I checked Language mode for the user again: Since this is not wanted behaviour I removed the file hash for the PSScriptPolicyTest scripts so they got blocked by AppLocker again. Well it seems that these 2 script are being used to determine which Language Mode PowerShell is allowed to run in when using AppLocker! So by allowing them in the GPO the constraint mode was completely disabled for the user. ![]() So what are those files really for? I have not found any official documentation about this behaviour so until I get some official confirmation that this is how it works it is just my assumptions. Nothing was blocked in the event log any more and the logon script still ran without any issues. The good thing is that it is always the same content and since AppLocker does not take the filename into account when creating a file hash I looked in the event log and saw that it was always the same file hash being blocked: %OSDRIVE%\USERS\\APPDATA\LOCAL\TEMP\_PSSCRIPTPOLICYTEST_1 was prevented from running. The files got removed immediately after being created but I managed to capture them and the only content that was in them the was the number one: 1 Troubleshooting this a little bit more I noticed that they are not signed and since they are located in "AppdataLocalTemp" we did not want to allow them by path (since the user have writing rights in that folder). The script itself ran as expected but the 2 PSScriptPolicyTest scripts was blocked in the log at the same time. In my case I had a PowerShell logon script that was signed and allowed in AppLocker. The full name is something like _PSScriptPolicyTest_1 where the name is _PSScriptPolicyTest_.ps1/psm1 Checking the event viewer log for AppLocker events you will see that the logged on user tried to run 2 different scripts starting with _PSScriptPolicyTest and the extensions. If you are using AppLocker (which you should) and have enabled the function "MSI and Scripts" in AppLocker to whitelist only signed PowerShell scripts you will get some errors in the event log even though your scripts are signed. ![]() Found another good article discussing the topic further:.The filehash is not reported in the eventlog for these event for me anymore (might just be my labsetup that is incorrect though)."# PowerShell test file to determine AppLocker lockdown mode " The content of the ps1,psm1 file is no longer "1" but rather.It seems there have been some changes in how these files are used by Windows sometime since I wrote the original post and now. This also means that the hash no longer is static and cannot be excluded by mistake (which is good since you shouldn't have done that in the first place). "# PowerShell test file to determine AppLocker lockdown mode 15:15:08".As noted by user bbk in the comments, in recent versions of Windows 10 the script no longer have a static content but rather a dynamic one where part of the content includes date and time.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |