Another way to bypass Windows AppLocker
By Prempal Singh
Several years ago, Microsoft announced a new tool – AppLocker, which, according to the developers conceived, was designed to improve safety when working in Windows. Not long ago, a researcher Casey Smith discovered in the functional vulnerability that allows working around it. Smith found a way in which the system can run any application, bypassing AppLocker and without administrator rights.
What is AppLocker
AppLocker from Microsoft is working on the basis of black and white lists of applications that can be run on the system. He began to be supplied as a component of operating systems Win 7 and WinServer 2008 R2. With it, system administrators were able to create rules to run executable files .exe, .comas well as files with extensions .msi, .msp, .bat, .scr, .js, .dlland others.
The AppLocker differs from SRP (Software Restriction Policies)? By and large, the case is not much, but according to some experts in the field of security – mainly marketing level. For more information about how broadly AppLocker works can be read in sysadmins.lv.heart
Smith found that through the appeal toRegsvr32, you can run any file to bypass AppLocker policies, even administrator rights are required for this purpose, which, as you know, ordinary users are always “cut.”
Scripts to circumvent App-locker through Regsvr32 placed the author on GitHub, you can read them here.
According to Engadget, the Microsoft company has no official comment on the matter has not provided, so it is unknown whether the “patch” patch this vulnerability or not.
On the other hand AppLocker bypass the problem can be solved by a very simple way: Regsvr32 block in the firewall system, thus eliminating external reference to it on the web. Another solution is called the inclusion rule for the DLL, which are disabled by default due to the drawdown performance.