The Art of Detecting Mali... |
Eliminate Windows Firewal... »
Back Door Bypasses AppLocker and Software Restriction Policies
Tue, 02 Aug 2011 13:40:25 GMT
Just a quick note about a what looks like a pretty bad backdoor to Windows 7's AppLocker and the older Software Restriction Policies. I've just learned about it and will be covering it in greater detail in tomorrow's webinar.
It's a backdoor created by Microsoft for when you load a DLL. Just specify the LOAD_IGNORE_CODE_AUTHZ_LEVEL and AppLocker ignores the DLL. Furthermore there's a similar flag, SANDBOX_INERT, on the CreateRestrictedToken api that allows you to apparently start a new process with AppLocker disabled as well.
Again, I'll have more on this in tomorrow's webinar.
Live with Dell at RSA 2015
5 Indicators of Endpoint Evil
Live with LogRhythm at RSA
Live with Duo Security at RSA 2015
powered by Bloget™