A Windows command-line utility, Regsvr32, was discovered to enable an almost undetectable Windows AppLocker whitelist...
bypass. What exactly are the risks with this vulnerability? How can enterprises secure their environments against possible attacks?
Outside of the Windows admins who are familiar with the internals of Windows going back to Windows NT, few know about the complexity and power of the legacy programming and scripting internals in modern Windows OSes. Windows system admins today might be learning PowerShell, but early Windows admins used batch and scripting languages to put together different tools to automate many tasks. These scripting tools from Microsoft admin kits were considerably powerful. One of the most difficult-to-master scripting skills was for COM+, and it was commonly used by software developers.
It's important to note that these tools are now part of the living off the land attack movement, where hackers use malware-free techniques to gain entry into an environment and use the organization's existing tools and utilities against it.
Researcher Casey Smith identified a vulnerability in Windows AppLocker, which is exploitable via the command-line tool Regsvr32 that calls a malicious .SCT file to exploit functionality in COM+ and run malicious commands as the current user. The risk from the Windows AppLocker whitelisting vulnerability is that an attacker could execute code on the endpoint to exploit other vulnerabilities there.
An enterprise can protect against these kinds of attacks on legacy functionality by disabling unnecessary functionality using group policy. Enterprises can also use the security configuration tool set from Microsoft and Active Directory to push group policy to domain-joined endpoints. An enterprise could even remove unneeded executables or remove access to the executables, but this could be complicated and have unintended consequences. Endpoint security tools like whitelisting or host-intrusion detection systems could also have similar functionality. Only allowing outbound connections on the endpoint from approved executables could also potentially block the Windows AppLocker exploit.
Find out how to use Windows AppLocker for application control
Consider these six questions before investing in an endpoint security product
Learn about the new Active Directory features for Windows Server 2016
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Security researchers demonstrated how a new fileless attack technique can bypass a Windows kernel protection feature at Black Hat 2018. Find out how ... Continue Reading
Researchers from Check Point announced a new attack at Black Hat 2018 that targets Android devices. Discover how this attack works and how devices ... Continue Reading
Sophos researchers believe the SamSam ransomware campaign could be the work of one or a few threat actors using manual techniques. Learn how it works... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.