Security, et al

Randy's Blog on Infosec and Other Stuff

Back Door Bypasses AppLocker and Software Restriction Policies

Tue, 02 Aug 2011 13:40:25 GMT

Just a quick note about a what looks like a pretty bad backdoor to Windows 7's AppLocker and the older Software Restriction Policies.  I've just learned about it and will be covering it in greater detail in tomorrow's webinar.

It's a backdoor created by Microsoft for when you load a DLL.  Just specify the LOAD_IGNORE_CODE_AUTHZ_LEVEL and AppLocker ignores the DLL.  Furthermore there's a similar flag, SANDBOX_INERT, on the CreateRestrictedToken api that allows you to apparently start a new process with AppLocker disabled as well.

Again, I'll have more on this in tomorrow's webinar.

email this digg reddit dzone
comments (0)references (0)

Related:
9 Mistakes APT Victims Make
Back Door Bypasses AppLocker and Software Restriction Policies
The Growing Threat of Friendly Fire from Vendors
Security Log Secrets On-Demand Interactive… Is Now Here!

previous | next

powered by Bloget™