Articles & Presentations

Wednesday, January 7, 2015

Is the New Windows 8.1 0-Day a big deal? Not really if you're logging like you should




Google engineers just released a Proof of Concept for an undisclosed Windows 8.1 vulnerability that would allow privilege escalation.

Is this a big deal? Only if the bad guys can execute something on your system and execute a specific command. By now you should know if the malwarians can get you to visit a compromised website, get a user to click on a URL or open an attachment in email, game over anyways. No 0-day needed, but hey, just another option for the malwarians to use. This vulnerability bypasses UAC in typical not secure enough Windows Default settings. You can always annoy your users by turning up UAC to prompt more as Vista did, I'm sure they won't mind ;-) because users are great at knowing what is good and what is bad .


THANK YOU GOOGLE for releasing the details which allows me and other Blue Team Defender Ninja's who utilize logging, as we all should be doing to easily detect this vulnerability and its use in an attack. Some are saying a company the size of Google, (who does not use Windows as a primary OS for desktops FYI) should not have disclosed how to exploit a system. That is another discussion on what is responsible disclosure.

Why is this a good thing for us defenders and you?

While Microsoft figures out the fix, us defenders and those reading this BLOG can take the following actions to detect if the attack is used or attempted, even after the patch is issued. I think this is awesome info as watching for these types of command executions are crucial to active defense Blue Teamers like myself and others who use and rely on logging for security.

Here is the command used in the exploit:

"AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll"


- Test.dll being the malwarians bad code.

So how do we detect these types of attacks?

Step 1:
Enable Command Line logging for Windows 8.1 and Windows 2012 R2 by creating the following key or adding to GPO if your on Server 2012 Domain Controllers.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled
DWORD 1

Step 2:
Look at EventID 4688 for the "Process Command Line" that contains:
"AppCompatCache.exe c:\"

Create an alert whenever this is executed. You can go as far as specifying the exact command Google disclosed, but You should keep it more generic so you can pick up typos, yes hackers make typos.. They are human by the way.

This is similar to another vulnerability malwarians often use exploiting "sysprep.exe" by using the command line:

"sysprep.exe c:\windows\sysprep\cryptbase.dll"


- Cryptbase.dll being the malicious payload.

Setting up monitoring for these type of commands as you discover them while practicing Malware Management, as I recommend everyone start doing, or as you read these type of disclosures and think "I wonder if anyone has attempted this on my systems"... Will vastly improve your InfoSec defense capabilities. Below is an example of the Win 8.1 Command Line logging enable.



If you are running older versions than mentioned above, have no fear, Sysmon is here! The Windows Logging Service (WLS) can also provide this Command Line logging. Below is an example of Sysmon capturing the commands entered.



From my perspective, there is far more good than bad that Google released this to the public as Microsoft will patch this quickly. It did however help reinforce Malware Management can help you detect things as they occur, 0-day or not, so you can react faster and avoid being a Target, Home Depot or Sony.

Google research on 8.1 vulnerability

Happy Hunting!!!!

#InfoSec #HackerHurricane #YayGoogle