![]()
tag:blogger.com,1999:blog-4304739697716191998.post-11763741555338013472021-09-06T23:53:00.000-07:002021-09-06T23:53:02.594-07:00LowBox Token Permissive Learning Mode<p>I was recently asked about this topic and so I thought it'd make sense to put it into a public blog post so that everyone can benefit. Windows 11 (and Windows Server 2022) has a new feature for tokens which allow the kernel to perform the normal LowBox access check, but if it fails log the error rather than failing with access denied. </p><p>This feature allows you to start an AppContainer sandbox process, run a task, and determine what parts of that would fail if you actually tried to sandbox a process. This makes it much easier to determine what capabilities you might need to grant to prevent your application from crashing if you tried to actually apply the sandbox. It's a very useful diagnostic tool, although whether it'll be documented by Microsoft remains to be seen. Let's go through a quick example of how to use it.</p><p>First you need to start an ETW trace for the <i>Microsoft-Windows-Kernel-General</i> provider with the <i>KERNEL_GENERAL_SECURITY_ACCESSCHECK</i> keyword (value 0x20) enabled. In an administrator PowerShell console you can run the following:</p><div style="text-align: left;"><span style="font-family: courier;">PS> $name = 'AccessTrace'<br />PS> New-NetEventSession -Name $name -LocalFilePath "$env:USERPROFILE\access_trace.etl" | Out-Null<br />PS> Add-NetEventProvider -SessionName $name -Name "Microsoft-Windows-Kernel-General" -MatchAllKeyword 0x20 | Out-Null<br />PS> Start-NetEventSession -Name $name</span></div><p>This will start the trace session and log the events to <i>access_trace.etl</i> file if your home directory. As this is ETW you could probably do a real-time trace or enable stack tracing to find out what code is actually failing, however for this example we'll do the least amount of work possible. This log is also used for things like Adminless which I've <a href="https://www.tiraniddo.dev/2019/01/enabling-adminless-mode-on-windows-10.html">blogged</a> about before.</p><p>Now you need to generate some log events. You just need to add the <i><b>permissiveLearningMode</b></i> capability when creating the lowbox token or process. You can almost certainly add it to your application's manifest as well when developing a sandboxed UWP application, but we'll assume here that we're setting up the sandbox manually.</p><div style="text-align: left;"><span style="font-family: courier;">PS> $cap = Get-NtSid -CapabilityName 'permissiveLearningMode'<br />PS> $token = Get-NtToken -LowBox -PackageSid ABC -CapabilitySid $cap<br />PS> Invoke-NtToken $token { "Hello" | Set-Content "$env:USERPOFILE\test.txt" }</span></div><p>The previous code creates a lowbox token with the capability and writes to a file in the user's profile. This would normally fail as the user's profile doesn't grant any AppContainer access to write to it. However, you should find the write succeeded. Now, back in the admin PowerShell console you'll want to stop the trace and cleanup the session.</p><div style="text-align: left;"><span style="font-family: courier;">PS> Stop-NetEventSession -Name $name<br />PS> Remove-NetEventSession -Name $name</span></div><p>You should find an <i>access_trace.etl</i> file in your user's profile directory which will contain the logged events. There are various ways to read this file, the simplest is to use the <i>Get-WinEvent</i> command. As you need to do a bit of parsing of the contents of the log to get out various values I've put together a simple script do that. It's available on github <a href="https://gist.github.com/tyranid/a219ed36c7bca7a23036d9f6cedf0cdf">here</a>. Just run the script passing the name of the log file to convert the events into PowerShell objects.</p><div style="text-align: left;"><span style="font-family: courier;">PS> parse_access_check_log.ps1 "$env:USERPROFILE\access_trace.etl"</span></div><div style="text-align: left;"><span style="font-family: courier;">ProcessName : ...\v1.0\powershell.exe<br />Mask : MaximumAllowed<br />PackageSid : S-1-15-2-1445519891-4232675966-...<br />Groups : INSIDERDEV\user<br />Capabilities : NAMED CAPABILITIES\Permissive Learning Mode<br />SecurityDescriptor : O:BAG:BAD:(A;OICI;KA;;;S-1-5-21-623841239-...</span></div><div style="text-align: left;"><span style="font-family: inherit;"><br /></span></div><div style="text-align: left;"><span style="font-family: inherit;">The log events don't seem to contain the name of the resource being opened, but it does contain the security descriptor and type of the object, what access mask was requested and basic information about the access token used. </span><span style="font-family: inherit;">Hopefully this information is useful to someone.</span></div>tiraniddo[email protected]
文章来源: https://www.blogger.com/feeds/4304739697716191998/posts/default/1176374155533801347
如有侵权请联系:admin#unsafe.sh