A Windows command-line utility, Regsvr32, was discovered to enable an almost undetectable Windows AppLocker whitelist...
bypass. What exactly are the risks with this vulnerability? How can enterprises secure their environments against possible attacks?
Outside of the Windows admins who are familiar with the internals of Windows going back to Windows NT, few know about the complexity and power of the legacy programming and scripting internals in modern Windows OSes. Windows system admins today might be learning PowerShell, but early Windows admins used batch and scripting languages to put together different tools to automate many tasks. These scripting tools from Microsoft admin kits were considerably powerful. One of the most difficult-to-master scripting skills was for COM+, and it was commonly used by software developers.
It's important to note that these tools are now part of the living off the land attack movement, where hackers use malware-free techniques to gain entry into an environment and use the organization's existing tools and utilities against it.
Researcher Casey Smith identified a vulnerability in Windows AppLocker, which is exploitable via the command-line tool Regsvr32 that calls a malicious .SCT file to exploit functionality in COM+ and run malicious commands as the current user. The risk from the Windows AppLocker whitelisting vulnerability is that an attacker could execute code on the endpoint to exploit other vulnerabilities there.
An enterprise can protect against these kinds of attacks on legacy functionality by disabling unnecessary functionality using group policy. Enterprises can also use the security configuration tool set from Microsoft and Active Directory to push group policy to domain-joined endpoints. An enterprise could even remove unneeded executables or remove access to the executables, but this could be complicated and have unintended consequences. Endpoint security tools like whitelisting or host-intrusion detection systems could also have similar functionality. Only allowing outbound connections on the endpoint from approved executables could also potentially block the Windows AppLocker exploit.
Find out how to use Windows AppLocker for application control
Consider these six questions before investing in an endpoint security product
Learn about the new Active Directory features for Windows Server 2016
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading