Posts

Showing posts from September, 2018

AppLocker - hash *bad*listing

Image
Application whitelisting is one of those actions on organization's security roadmaps, which either never happens or is adopted to fit the current environment rather than having it implemented to its full extent.  Although far from perfect, with a large number of bypasses for its whitelisting capabilities (described in the Github repository here), AppLocker is still a great, free* tool which introduces resilience in the environment. Many of the bypasses rely on abusing Microsoft signed executables, as they are whitelisted by default and have the capability to launch other executables. In the previously linked Github repository, the author has made an effort to provide AppLocker rules to prevent the bypasses, however, many of these are likely to break things in a fully-functional real-world environment with "legacy" systems.

One of the most common (unfortunately) implementations is a blacklisting approach. In this implementation, everything is allowed to execute by default…