Using AppLocker to Prevent Living off the Land Attacks
Last Updated: 2020-04-16 21:31:38 UTC
by Johannes Ullrich (Version: 1)
STI student David Brown published an STI research paper in January with some interesting ideas to prevent living off the land attacks with AppLocker. Living off the land attacks use existing Windows binaries instead of downloading specific attack tools. This post-compromise technique is very difficult to block. AppLocker isn't really designed to block these attacks because AppLocker by default does allow standard Windows binaries to run.
David is using a more restrictive AppLocker configuration that blocks normal users from running some of the more popular tools that attackers tend to use. He wrote specific AppLocker rules around some of the popular living off the land attack guides and summarized them in his research paper. You can find his complete paper here: https://pen-testing.sans.org/resources/papers/gpen/preventing-living-land-attacks-140526 .
Or check out the YouTube video I recorded with David that includes a brief proof of concept demo:
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute