Successfully reported this slideshow.
Your SlideShare is downloading. ×

App-o-Lockalypse now!

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 58 Ad

App-o-Lockalypse now!

Download to read offline

Slides from session at Derbycon 8.0.
Description:
Want to get a good overview of AppLocker and the different AppLocker bypasses and at the same time learn how defenders can harden their environments to prevent them? Then this is a talk you don't want to miss. This talk will cover a vast amount of bypass techniques and how to harden AppLocker to make it even harder to bypass. Giving you help to either start or avoid an App-o-Lockalypse.

Slides from session at Derbycon 8.0.
Description:
Want to get a good overview of AppLocker and the different AppLocker bypasses and at the same time learn how defenders can harden their environments to prevent them? Then this is a talk you don't want to miss. This talk will cover a vast amount of bypass techniques and how to harden AppLocker to make it even harder to bypass. Giving you help to either start or avoid an App-o-Lockalypse.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Advertisement

Recently uploaded (20)

App-o-Lockalypse now!

  1. 1. Can also use Mklink /H
  2. 2. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783530(v=ws.10)
  3. 3. https://gist.github.com/api0cradle/563226464376d40e191ce53abcf9c4d0
  4. 4. $CurrTemp = $env:temp $CurrTmp = $env:tmp $TEMPBypassPath = "C:windowstemp" $TMPBypassPath = "C:windowstemp" Set-ItemProperty -Path 'hkcu:Environment' -Name Tmp -Value "$TEMPBypassPath" Set-ItemProperty -Path 'hkcu:Environment' -Name Temp -Value "$TMPBypassPath" Invoke-WmiMethod -Class win32_process -Name create -ArgumentList "powershell" sleep 5 #Set it back Set-ItemProperty -Path 'hkcu:Environment' -Name Tmp -Value $CurrTmp Set-ItemProperty -Path 'hkcu:Environment' -Name Temp -Value $CurrTemp

Editor's Notes

  • https://pixabay.com/no/apokalyptiske-krigen-fare-374208/
  • * Modern management
  • https://github.com/kasif-dekel/Microsoft-Applocker-Bypass
  • Challenge is not allowing stuff, but stopping unwanted stuff like signed ms files etc…
    Aaron Margosis
  • 3 types of rules.
  • Importance of this service
  • Explain them
  • Explain them
  • Explain them
  • Explain them
  • Explain them
  • Source: https://pixabay.com/no/apocalypse-krigen-katastrofe-2459465/
  • https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783530(v=ws.10)
  • SHOW:
    C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter – Take ownership – change acls….

    C:\Windows\System32\com\dmp – fsutil hardlink

    Alternate data streams
  • Gunnar Haslinger
  • Awesome writeup! Does not work if you have DLL enforcement on!
  • https://pixabay.com/en/apocalypse-city-end-of-the-world-2921093/
  • Only add needed signers
    Use sccm to deploy software – Check managed installer...
  • AaronLocker is vulnerable to ADS – But will be fixed in next release. 

×