Tuesday, November 10, 2015

Your Whitelisting Application Has No Clothes

I am not entirely sure that I am communicating this accurately.  So here goes another simple attempt...

Whitelisting applications, that prescribe to the Microsoft best practice for intercepting and blocking executable file execution have a GAPING hole.  That hole is .NET loading of assemblies via reflection.

http://download.microsoft.com/download/4/4/b/44bb7147-f058-4002-9ab2-ed22870e3fe9/Kernal%20Data%20and%20Filtering%20Support%20for%20Windows%20Server%202008.doc

Page 18...



Signed Microsoft binaries that load assemblies via reflection such as InstallUtil, Regsvcs, and RegAsm do not follow the pattern that most Whitelisting applications are expecting.

What this means is that your whitelisting application MISSES execution event by these tools.

I have tested multiple tools and they ALL miss this type of execution.

What I am not saying, is Whitelisting is bad.  I am saying this is a tremendous gap in the ability to detect execution events.

Windows 10 with UMCI and Device Guard seems to be able to detect and prevent this sufficiently.

So. again... If you are whitelisting as a defense, please be wary of .NET applications that can load executables as READ and later change permissions to EXECUTE...

That is all...

Cheers,

Casey
@subTee


1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete