Attackers know how to manage and monitor our systems better than we do. They will analyze how to get access to our networks in the best way. Attackers have found another way to deploy malware on our networks: a process called side-loading. Side loading is the installation of an application on a device from a trusted source such as the Microsoft Store. Attackers can exploit the process by convincing users that they are installing a trusted app that is actually carrying malicious payload.
Sophos recently Wrote on the blog For an attack that tried to outwit the Sophos team in a targeted email and then used side-loading to install a custom app hosted on the Microsoft Store (now removed). The application would install malware and ransomware on the network. We’ve also seen attackers using third-party Office 365 applications to gain access to the network and steal key information. So, what options do you have to block and protect yourself from side load attacks?
Teach users to identify risks
First, educating end users is a key way to keep your network secure. A properly paranoid end user will stop, think and not click on anything and send the offensive email to your help desk for review. I also recommend that you perform phishing simulations to see if your users are aware of phishing.
Block side load attacks using Intune
You can block party loading using Group Policy, Registry settings, or Intune settings. In Intune you can set up a Windows 10 device restriction policy with the following steps:
- Create the profile in the Microsoft Endpoint Manager Administration Center.
- Select “Devices”, “Configuration Profiles” and “Create Profile” in order.
- In “Platform”, select “Windows 10 or later”.
- In the “Profile” section, select “Device Restrictions” or select “Templates” and then “Device Restrictions”.
- Select “Create”.
- In “Basics” enter a description of the policy as well as a description of the policy so that you can follow the definition.
- Select “Next”.
- Review the settings in “Configuration Settings”.
- Select “Next”.
- Set scope tags to better identify the platform you manage and track where you define your policies.
- Select “Next”.
- Select Tasks to select the users or groups that will accept this policy.
- Select “Next” and then “Check and Create.”
- Choose to restrict access to the Microsoft Store.
- Select “Install a trusted application” and select “Block” from the options below to prevent the installation of non-Microsoft applications in Windows 10 and 11.
- Undefined (default): Intune does not change or update this setting.
- Block: Prevents side loading. Non-Microsoft Store applications cannot be installed.
- Possible: Allows side loading. Non-Microsoft Store applications can be installed.
Block side load attacks using Group Policy
You can also follow these steps in Group Policy to block side load attacks. Select in order:
- “Computer configuration”
- “Administrative Templates”
- “Windows Components
- “App package deployment”
- Select and disable these two settings:
- Enables the development of Windows Store applications and their installation from an integrated development environment (IDE).
- Allow all trusted applications to install.
Disabling this policy ensures that malicious upload applications to the platform can not be stifled. It also means that not every legitimate Microsoft Store application can be installed, so you may need to enable and disable it as needed.
Block side-loading attacks using a registry key
To block side loading using a registry key, edit your HKEY local computer and then look for the settings under Software, Policies, Microsoft, Windows and App. Use a DWORD value of “0” to block side loading.
Registry Hive HKEY_LOCAL_MACHINE
Registry Path SoftwarePoliciesMicrosoftWindowsAppx
Value Name AllowAllTrustedApps
Value Type REG_DWORD
Enabled Value 1
Disabled Value 0
Prevent side-load attacks in Office 365
I’ve also seen reports that third-party Office 365 applications have been used to gain more network rights or steal information from the network. I highly recommend reviewing the policy setting for “Manage User Consent for Applications in Microsoft 365” and configure an administrator approval flow so that any user requesting or accidentally allowing access to a third-party application should go through user approval process management.
In the Administration Center, select in order:
- “Definitions”
- “Organization settings”
- “Services Page”
- “User Consent to Apps”
- “Turn user consent on or off”
You may want to delegate rights to approve such requests to some users. Although the approval may come from a global administrator, it may not be possible on a larger network. Certificates can also go to a cloud application manager or application manager.
To set permission rights, follow these steps:
- Log in to the Azure portal as a global administrator.
- Select “All Services” at the top of the right navigation menu.
- In the Azure Active Directory Extension filter search box, type “Azure Active Directory”.
- Select the Azure Active Directory item.
- From the navigation menu, select “Enterprise Apps”.
- Under “Management”, select “User Settings”.
- Under “Administrator Consent Requests”, set “Users can request administrator consent for applications they cannot agree” to “Yes”.
Select users to review manager consent requests for this workflow from a group of users who have general manager, cloud application, or application manager roles. You must set up at least one controller before the workflow can be started. These users must have at least an app manager role before the role can take effect; Just choosing usernames will not elevate them to the right.
Selected users will receive emails for requests. You will want to enable or disable reviewers’ emails when a request is made. Selected users will receive reminder about request expiration. Enable or disable email reminders when reviewers are about to expire. Finally, set the number of days after which a consent request expires. The user in the administrative audit role should be trained to respond to these approval processes within a reasonable time frame.
Attackers know that users often install applications. Make sure your network settings protect your network from such logins. Then “patch” your humans and train them to become more aware of these attack techniques.
Copyright © 2021 IDG Communications, Inc.