Back Door Bypasses AppLocker and Software Restriction Policies
Tue, 02 Aug 2011 13:40:25 GMT
Just a quick note about a what looks like a pretty bad backdoor to Windows 7's AppLocker and the older Software Restriction Policies. I've just learned about it and will be covering it in greater detail in tomorrow's webinar.
It's a backdoor created by Microsoft for when you load a DLL. Just specify the LOAD_IGNORE_CODE_AUTHZ_LEVEL and AppLocker ignores the DLL. Furthermore there's a similar flag, SANDBOX_INERT, on the CreateRestrictedToken api that allows you to apparently start a new process with AppLocker disabled as well.
Again, I'll have more on this in tomorrow's webinar.
Live with Dell at RSA 2015
Live with LogRhythm at RSA
Anatomy of a Hack Disrupted: How one SIEM's out-of-the-box rules caught an intrusion and beyond
Live with Duo Security at RSA 2015
previous | next
powered by Bloget™