Applocker - 'May provide protection without being able to provide a robust defence'
Applocker - don’t rely on it, and it may as well be DEP, or UAC.
From https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria:
Defense-in-depth security features
In some cases, a security feature may provide protection against a threat without being able to provide a robust defense. These security features are typically >referred to as defense-in-depth features or mitigations because they provide additional security but may have by design limitations that prevent them from fully >mitigating a threat. […] Any vulnerability or bypass that affects these security features will not be serviced by default, but it may be addressed in a future version or release.
The language throws a bit of shade on Defence in Depth (and mitigations) - “because they provide additional security but may have design limitations that prevent them from fully mitigating a threat”. Compare this to the definition provided for a Security feature:
[…]the goal of a security feature is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the >security feature from achieving this goal.
Applocker has many known/published bypasses, and has also lead to the lolbins phenomenon.
It should also be noted that AppLocker wasn’t designed for a security purpose, and was mostly intended to stop people from running unlicensed software or help do inventory in the environment. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.
Moving forward, Windows Defender System Guard (WDSG) / Windows Defender Application Control (WDAC) are Security Features - but curiously bear the caveat of Bypasses leveraging applications which are permitted by the policy are not in scope.
- which is likely a way out of paying bounties on lolbins. More curiously, it looks like Microsoft is writing advice on what lolbins to block https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules, which might turn into actual mitigations at some point?
In fairness to DEP, at least Microsoft will pay out a bounty for a DEP bypass - unlike Applocker (which again, was designed to stop people from playing Halo on their work machine) :)