Security, et al

Randy's Blog on Infosec and Other Stuff

Back Door Bypasses AppLocker and Software Restriction Policies

Tue, 02 Aug 2011 13:40:25 GMT

Just a quick note about a what looks like a pretty bad backdoor to Windows 7's AppLocker and the older Software Restriction Policies.  I've just learned about it and will be covering it in greater detail in tomorrow's webinar.

It's a backdoor created by Microsoft for when you load a DLL.  Just specify the LOAD_IGNORE_CODE_AUTHZ_LEVEL and AppLocker ignores the DLL.  Furthermore there's a similar flag, SANDBOX_INERT, on the CreateRestrictedToken api that allows you to apparently start a new process with AppLocker disabled as well.

Again, I'll have more on this in tomorrow's webinar.

email this digg reddit dzone
comments (0)references (0)

Live with Dell at RSA 2015
Live with LogRhythm at RSA
Anatomy of a Hack Disrupted: How one SIEM's out-of-the-box rules caught an intrusion and beyond
Live with Duo Security at RSA 2015

previous | next

powered by Bloget™