A Windows command-line utility, Regsvr32, was discovered to enable an almost undetectable Windows AppLocker whitelist...
bypass. What exactly are the risks with this vulnerability? How can enterprises secure their environments against possible attacks?
Outside of the Windows admins who are familiar with the internals of Windows going back to Windows NT, few know about the complexity and power of the legacy programming and scripting internals in modern Windows OSes. Windows system admins today might be learning PowerShell, but early Windows admins used batch and scripting languages to put together different tools to automate many tasks. These scripting tools from Microsoft admin kits were considerably powerful. One of the most difficult-to-master scripting skills was for COM+, and it was commonly used by software developers.
It's important to note that these tools are now part of the living off the land attack movement, where hackers use malware-free techniques to gain entry into an environment and use the organization's existing tools and utilities against it.
Researcher Casey Smith identified a vulnerability in Windows AppLocker, which is exploitable via the command-line tool Regsvr32 that calls a malicious .SCT file to exploit functionality in COM+ and run malicious commands as the current user. The risk from the Windows AppLocker whitelisting vulnerability is that an attacker could execute code on the endpoint to exploit other vulnerabilities there.
An enterprise can protect against these kinds of attacks on legacy functionality by disabling unnecessary functionality using group policy. Enterprises can also use the security configuration tool set from Microsoft and Active Directory to push group policy to domain-joined endpoints. An enterprise could even remove unneeded executables or remove access to the executables, but this could be complicated and have unintended consequences. Endpoint security tools like whitelisting or host-intrusion detection systems could also have similar functionality. Only allowing outbound connections on the endpoint from approved executables could also potentially block the Windows AppLocker exploit.
Find out how to use Windows AppLocker for application control
Consider these six questions before investing in an endpoint security product
Learn about the new Active Directory features for Windows Server 2016
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
The CIA Vault 7 cache exposed the Brutal Kangaroo USB malware, which can be spread to computers without an internet connection. Learn how this is ...continue reading
Kaspersky Lab recently accused Windows 10 of acting as an antivirus block to third-party antimalware software. Discover how your software is being ...continue reading
QakBot malware triggered hundreds of thousands of Microsoft Active Directory account lockouts. Discover the malware's target and how these attacks ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.