Security, et al

Randy's Blog on Infosec and Other Stuff

«  The Art of Detecting Mali... | Eliminate Windows Firewal... »

Back Door Bypasses AppLocker and Software Restriction Policies

Tue, 02 Aug 2011 13:40:25 GMT

Just a quick note about a what looks like a pretty bad backdoor to Windows 7's AppLocker and the older Software Restriction Policies.  I've just learned about it and will be covering it in greater detail in tomorrow's webinar.

It's a backdoor created by Microsoft for when you load a DLL.  Just specify the LOAD_IGNORE_CODE_AUTHZ_LEVEL and AppLocker ignores the DLL.  Furthermore there's a similar flag, SANDBOX_INERT, on the CreateRestrictedToken api that allows you to apparently start a new process with AppLocker disabled as well.

Again, I'll have more on this in tomorrow's webinar.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
5 Indicators of Endpoint Evil
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure

Comments disabled

powered by Bloget™

Search


Categories
Recent Blogs
Archive


 

Upcoming Webinars
    Additional Resources