Talk With an Expert

Finding Evil in the Whitelist

Finding Evil in the Whitelist (PDF, 3.30MB)Published: 24 Mar, 2015
Created by
Josh Johnson
Josh Johnson

Application whitelisting technologies are extremely effective at reducing the ability for malicious code to run in an environment. For organizations with limited security budgets, built-in Windows features, such as AppLocker and Software Restriction Policies, offer the ability to implement low-cost whitelisting solutions that can significantly reduce the attack surface on Windows endpoints. While lacking centralized management and reporting consoles, these tools can be tested and deployed with limited effort using scripts to collect and analyze logs and Group Policy to manage whitelists.Even though whitelisting provides greater protection to endpoints, emerging research is highlighting innovative whitelisting bypass techniques, and attackers are adopting new styles to evade this type of control. However, through regular log review and anomaly detection, organizations can detect and respond to these types of sophisticated attacks that are bypassing application whitelisting utilities. When looking for attacks that are bypassing AppLocker specifically, organizations can lean heavily on the use of PowerShell for log collection and automated analysis.

Meet the expert

Josh Johnson
Josh Johnson

Josh Johnson

Certified Instructor

Josh has been working in Information Security for 10+ years. He enjoys contributing to the community by sharing research and tools that help bolster blue team capabilities; tools that have been used in preventing and detecting large-scale incidents.

Read more about Josh Johnson