A Windows command-line utility, Regsvr32, was discovered to enable an almost undetectable Windows AppLocker whitelist...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
bypass. What exactly are the risks with this vulnerability? How can enterprises secure their environments against possible attacks?
Outside of the Windows admins who are familiar with the internals of Windows going back to Windows NT, few know about the complexity and power of the legacy programming and scripting internals in modern Windows OSes. Windows system admins today might be learning PowerShell, but early Windows admins used batch and scripting languages to put together different tools to automate many tasks. These scripting tools from Microsoft admin kits were considerably powerful. One of the most difficult-to-master scripting skills was for COM+, and it was commonly used by software developers.
It's important to note that these tools are now part of the living off the land attack movement, where hackers use malware-free techniques to gain entry into an environment and use the organization's existing tools and utilities against it.
Researcher Casey Smith identified a vulnerability in Windows AppLocker, which is exploitable via the command-line tool Regsvr32 that calls a malicious .SCT file to exploit functionality in COM+ and run malicious commands as the current user. The risk from the Windows AppLocker whitelisting vulnerability is that an attacker could execute code on the endpoint to exploit other vulnerabilities there.
An enterprise can protect against these kinds of attacks on legacy functionality by disabling unnecessary functionality using group policy. Enterprises can also use the security configuration tool set from Microsoft and Active Directory to push group policy to domain-joined endpoints. An enterprise could even remove unneeded executables or remove access to the executables, but this could be complicated and have unintended consequences. Endpoint security tools like whitelisting or host-intrusion detection systems could also have similar functionality. Only allowing outbound connections on the endpoint from approved executables could also potentially block the Windows AppLocker exploit.
Find out how to use Windows AppLocker for application control
Consider these six questions before investing in an endpoint security product
Learn about the new Active Directory features for Windows Server 2016
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Cross-platform malware enables attackers to leverage their attacks using infected Microsoft Word docs. Expert Nick Lewis explains how the attacks ...continue reading
How was the ATMitch malware able to loot cash machines, then delete itself? Expert Nick Lewis explains how the fileless malware works and how it ...continue reading
DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.