Posts

Showing posts from August, 2020

Note #5

Of course, the knowledge of computer viruses is like the "Force" in Star Wars. Depending on the user of the "Force", the knowledge can turn to good or evil. I cannot force you to stay away from the "Dark Side", but I urge you to do so. -- The Art of Computer Virus Research and Defense - Péter Szőr

AppLocker Policy Enumeration in C

Image
Abstract Application whitelisting and blacklisting is an interesting topic because depending on how it has been configured this can drastically increase the difficulty of an attacker to gain initial code execution. With Windows XP and Windows Server 2013, Microsoft released Software Restriction Policy (SRP), which was a great idea but a massive pain to configure with little to no flexibility. This is where AppLocker is coming into play, this is the successor of SRP. AppLocker has been introduced in Windows 10, originally only for Enterprise and Education versions. AppLocker offers a lot of flexibility because the allow/deny rules are set to a SID and therefore can be applied to any security principal (i.e. user, groups). AppLocker has also multiple rule types, which are as follows: Executable rules, for executable files (e.g. C:\Windows\System32\cmd.exe ); Windows Installer rules, for installation files (e.g. C:\Users\Public\myinstaller.msi ); Script rules, for Windows Script H