lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <335CAD151C80431185B4C4F20B4D2AC1@W340> Date: Sun, 26 Mar 2017 22:50:40 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <bugtraq@...urityfocus.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups" I wrote Tuesday, March 21, 2017 8:09 PM: [ ...snip... ] > Mitigation: > ~~~~~~~~~~~ > > Create an "AppCert.Dll" that exports CreateProcessNotify and > set the following registry entry > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls] > "AppCert.Dll"="<path>\AppCert.Dll" [ ...snip... ] If you can't create an "AppCert.Dll" from the code I depicted or don't know how to implement the function "forbidden()" yourself: just visit <https://skanthak.homepage.t-online.de/appcert.html>, read it and get the prebuilt DLLs plus their .INF setup script, packaged in a .CAB archive. enjoy Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists