Over the course of several recent engagements which have involved malware analysis as part of incident response activities, a common theme has emerged. In many cases, malware drops files in the %TEMP% folder for execution. As several other blog posts have mentioned, restricting execution from the %TEMP% folder is an effective way to prevent several strains of malware from successfully dropping / executing payloads on the system. There are a couple of different options for implementing this block; this post will focus on Windows 10 Professional.
Windows 10’s Local Security Policy editor (Start->Programs->Windows Administrative Tools->Local Security Policy) allows for implementation of software restrictions via AppLocker as well as Software Restriction Policies that can lock down a Windows system to prevent execution from a given folder. AppLocker is a feature that was added in Windows 7 that “allows you to specify which users or groups can run particular applications in your organization based on unique identities of files”. This provides a great deal of flexibility for enterprise administrators who want to have granular control over what users can and can’t do on their systems. AppLocker in combination with restricted user permissions (not allowing each user to be a Local Administrator) can greatly reduce exposure to malware threats.
However, when I attempted to implement a Local Applocker policy on my Windows 10 Professional laptop, I got the following event in the AppLocker event log:
A quick Google search led to this page which implies that AppLocker is only available on Enterprise and Education SKUs and not on Windows 10 Professional. Dang…
One thing that IS available in Windows 10 Professional is the “Software Restriction Policies” Local Security Policy configuration. Under this section of the Local Security Policy settings, a user can specify rules that allow blacklisting or whitelisting of files based on file path, file hash, file digital signature / certificate properties, or file network zone (for example files that contain a Mark of the Web). In order to implement our %TEMP% path restriction, we can right click on “Additional Rules” under “Software Restriction Policies” and select “New Path Rule…” to add a rule to disallow execution from a specific folder path.
Environment variables and wildcards are expanded in path rules, so it is OK to use %TEMP%, for example, in place of C:\Users\<username>\AppData\Local\Temp. Once the rule is in place, a user is presented with the following dialog when something attempts to run from the %TEMP% folder.
This can be an effective preventative control against many common malware variants. As with any control there are tradeoffs: this technique may prevent execution of some application installers that extract and execute code from the temp folder, or applications with modular functionality that download and execute other programs as part of their legitimate functionality. Any organization that wishes to implement these policies should perform adequate testing in their enviroment in order to ensure that business will not be disrupted.
Polito, Inc. offers a wide range of security consulting services including penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.