Often deployed as the new way to prevent malware and unauthorized execution, application whitelisting has been billed as a way to contain and prevent advanced threats. "Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system." So goes the guidance of the Critical Security Controls. Is this guidance effective? Are there practical ways to circumvent whitelisting technology. If so, what are these techniques?
Adversaries adapt. Eventually, like we see in the biological world (weeds, mosquitoes), adversaries become resistant or inoculated against our defenses. We have developed a catalog of bypass techniques we would like to share. These techniques, while focused on the Windows Operating Systems, may have application to other areas.
Casey Smith (@subTee) is an Information Security Analyst in the Financial Industry. His daily responsibilities involve deploying and testing defensive systems in the enterprise. He has a passion for understanding and testing the limits and of defensive systems.