Another way to bypass the Windows AppLocker

A few years ago, Microsoft announced a new tool - AppLocker, which, according to the developers, was designed to improve security when working in Windows. Not so long ago, researcher Casey Smith discovered a vulnerability in this functionality that allows him to bypass it. Smith found a way in which you can run any application on the system bypassing AppLocker and without administrator rights.

What is AppLocker

Microsoft's AppLocker works on the basis of black and white lists of applications that can be running on the system. It began to be delivered as a component of the Win 7 and WinServer 2008 R2 operating systems. With it, system administrators were able to create rules for running executable files .exe , .com , as well as files with extensions .msi , .msp , .bat , .scr , .js , .dll and others.

What is the difference between AppLocker and Software Restriction Policies (SRP)? In the big case, not many, but according to some security experts, mainly the level of marketing. With more detailed information on how in general works AppLocker can be read on sysadmins.lv .
')

The essence

Smith discovered that through a call to Regsvr32 you can run any file to bypass AppLocker policies, and this does not even require administrator rights, which, as you know, ordinary users are always “cut”.

The scripts for bypassing AppLocker through Regsvr32 are posted by the author on GitHub , see them here .

According to engadget , Microsoft has not yet provided any official comments on this issue, so it is not known whether this vulnerability will be “patched” by patch or not.

On the other hand, the AppLocker bypass problem can be solved in a very simple way: block Regsvr32 in the system's firewall, thus excluding external access to it via the Network. Another solution is to enable the rules for DLLs , which are disabled by default due to performance drops.

There are also several other ways to bypass AppLocker mentioned in the comments by the user navion : one and two .