Break things, write reports

Shitty sysadmins - Applocker

Applocker - 'May provide protection without being able to provide a robust defence'

Tags — | windows | active-directory | applocker | Categories: — windows |
Posted at — Jul 25, 2019

tl;dr

Applocker - don’t rely on it, and it may as well be DEP, or UAC.

What

From https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria:

Defense-in-depth security features

In some cases, a security feature may provide protection against a threat without being able to provide a robust defense. These security features are typically >referred to as defense-in-depth features or mitigations because they provide additional security but may have by design limitations that prevent them from fully >mitigating a threat. […] Any vulnerability or bypass that affects these security features will not be serviced by default, but it may be addressed in a future version or release.

The language throws a bit of shade on Defence in Depth (and mitigations) - “because they provide additional security but may have design limitations that prevent them from fully mitigating a threat”. Compare this to the definition provided for a Security feature:

[…]the goal of a security feature is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the >security feature from achieving this goal.

Applocker has many known/published bypasses, and has also lead to the lolbins phenomenon.

It should also be noted that AppLocker wasn’t designed for a security purpose, and was mostly intended to stop people from running unlicensed software or help do inventory in the environment. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.

Moving forward, Windows Defender System Guard (WDSG) / Windows Defender Application Control (WDAC) are Security Features - but curiously bear the caveat of Bypasses leveraging applications which are permitted by the policy are not in scope. - which is likely a way out of paying bounties on lolbins. More curiously, it looks like Microsoft is writing advice on what lolbins to block https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules, which might turn into actual mitigations at some point?

In fairness to DEP, at least Microsoft will pay out a bounty for a DEP bypass - unlike Applocker (which again, was designed to stop people from playing Halo on their work machine) :)