Bypassing Windows Information Protection, Lamely
Disclosure: I was unprepared to document anything and violated my own rules of documentation. Because I’m lame.
What is Windows Information Protection? https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip
It protects against potential leakage by malicious and accidental insiders, controls which apps can access and use the data, and helps control where the data can go at rest (encrypted). And it works, until it doesn’t.
With just one weird tip, you can just get around it. Powershell.
But what does it look like normally? We start with creating the document using one of the apps defined as “Trusted.”
But what happens when you attempt to transfer the data to an app that is not allowed to access work content?
I’ll try one more time. Maybe I can just open it normally with an unapproved app.
Now let’s move jarringly from one set of screenshots to another, while pretending it all happened naturally.
But I’m lame and don’t use application whitelisting so I run in Powershell in FullLanguage and can lazily dig into the document. Now, docx files are just fancy containers with xml data inside so you can change the extension to .zip and muck around with the files.
Now you just enter the freshly created directory and look around. Note: I reset the computer I was working on and no longer had these documents. So this picture is all I have.
Now the data can be copied off and it no longer protected. On the bright side, this was exceptionally noisy and powershell logging would easily catch me fumbling around and running commands normal people don’t run. Constrained Language Mode also makes it slightly more difficult to script, being that Expand-Archive cannot execute without full language.
Now let’s see how safe this is from Evil Hackers. Same setup as before, but this time I’m a click-happy user who clicks on every link because I believe good security should insulate me from easily making bad decisions. I have AppLocker running with whitelisted directories, full UAC, and Constrained Language Mode. So let’s start with Empire and the hta stager.
It would appear that despite explicitly denying execution out of Downloads, .hta doesn’t let that stop its magic. At least we still have defense in depth, and don’t need to worry about this exposure.
Let’s pretend that I was able to deliver a malicious payload that bypassed everything and executed on the box. What happens now?
Now we’ll just assume I abused an unquoted service path or something.
Despite quickly getting around it, WIP is still a great step in classifying and containing data. Everything I was doing here was so noisy that any endpoint behavior monitoring would have picked me up through abnormal behavior. WIP logging is robust enough to identify me trying to dump data through the GUI, AppLocker logging saw me execute all the binaries noted above (except hta). I bet if you use the Linux Bash Shell on Win10 it would bypass all that logging…