Back Door Bypasses AppLocker and Software Restriction Policies
Tue, 02 Aug 2011 13:40:25 GMT
Just a quick note about a what looks like a pretty bad backdoor to Windows 7's AppLocker and the older Software Restriction Policies. I've just learned about it and will be covering it in greater detail in tomorrow's webinar.
It's a backdoor created by Microsoft for when you load a DLL. Just specify the LOAD_IGNORE_CODE_AUTHZ_LEVEL and AppLocker ignores the DLL. Furthermore there's a similar flag, SANDBOX_INERT, on the CreateRestrictedToken api that allows you to apparently start a new process with AppLocker disabled as well.
Again, I'll have more on this in tomorrow's webinar.
Live with Dell at RSA 2015
Live with LogRhythm at RSA
Live with Duo Security at RSA 2015
9 Mistakes APT Victims Make
previous | next
powered by Bloget™