application control Archives

Winsage

April 22, 2025

Critical Windows Update Stack Vulnerability Allows Code Execution & Privilege Escalation

A security vulnerability identified as CVE-2025-21204 has been discovered in the Windows Update Stack, allowing local attackers to execute unauthorized code and escalate privileges to SYSTEM-level access. This vulnerability, with a CVSS score of 7.8 (High), affects Windows 10 versions 1507, 1607, and 1809, among likely other supported Windows 10/11 and Windows Server versions. The flaw arises from a design issue where Windows Update processes do not properly follow directory junctions, enabling attackers with limited user privileges to redirect trusted paths to locations containing malicious code. Microsoft has introduced a mitigation strategy in its April 2025 cumulative update, which includes creating a new folder at the root of system drives and implementing detection rules for suspicious junction creations. Organizations are advised to apply the April 2025 security updates, restrict ACLs on specific directories, prevent symbolic link creation, and monitor file creation activities in certain directories.

Tech Optimizer

April 16, 2025

Hackers find a way around built-in Windows protections

Windows Defender Application Control (WDAC) is a built-in security feature on Windows PCs that restricts the execution of unauthorized software by allowing only trusted applications. However, hackers have discovered multiple methods to bypass WDAC, exposing systems to malware and cyber threats. Techniques for bypassing WDAC include using Living-off-the-Land Binaries (LOLBins), DLL sideloading, and exploiting misconfigurations in WDAC policies. Attackers can execute unauthorized code without triggering alerts from traditional security solutions, enabling them to install ransomware or create backdoors. Microsoft operates a bug bounty program to address vulnerabilities in WDAC, but some bypass techniques remain unpatched for long periods. Users can mitigate risks by keeping Windows updated, being cautious with software downloads, and using strong antivirus software.

Winsage

March 29, 2025

Hackers Bypass Windows Defender Security—What You Need To Know

Elite red team hackers have revealed a significant vulnerability in the Windows ecosystem, specifically a method to bypass Windows Defender Application Control (WDAC), which is designed to restrict application execution to trusted software. Bobby Cooke from IBM X-Force Red confirmed that the Microsoft Teams application was successfully targeted to bypass WDAC, allowing the execution of a Command and Control payload. The techniques used included utilizing "Living Off The Land Binaries" (LOLBINS), side-loading a trusted application with an untrusted dynamic linked library, exploiting a custom exclusion rule from a client WDAC policy, and discovering a new execution chain within a trusted application. Microsoft acknowledged awareness of the WDAC bypass report and stated they would take action as needed to protect customers.

Winsage

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

Microsoft's Windows Defender Application Control (WDAC) has become a target for cybersecurity researchers, with bug bounty payouts for successful bypasses. IBM's X-Force team reported various outcomes from WDAC bypass submissions, including successful bypasses that lead to potential bounties, those added to the WDAC recommended block list, and submissions without recognition. Notable contributors like Jimmy Bayne and Casey Smith have made significant discoveries, while the LOLBAS Project has documented additional bypasses, including the Microsoft Teams application. The X-Force team successfully bypassed WDAC during Red Team Operations using techniques such as utilizing known LOLBINs, DLL side-loading, exploiting custom exclusion rules, and identifying new execution chains in trusted applications. Electron applications, which can execute JavaScript and interact with the operating system, present unique vulnerabilities, as demonstrated by a supply-chain attack on the MiMi chat application. In preparation for a Red Team operation, Bobby Cooke's team explored the legacy Microsoft Teams application, discovering vulnerabilities in signed Node modules that allowed them to execute shellcode without triggering WDAC restrictions. They developed a JavaScript-based C2 framework called Loki C2, designed to operate within WDAC policies and facilitate reconnaissance and payload deployment. A demonstration of Loki C2 showcased its ability to bypass strict WDAC policies by modifying resources of the legitimate Teams application, allowing undetected code execution. The ongoing development of techniques and tools by the X-Force team reflects the evolving cybersecurity landscape and the continuous adaptation required to counter emerging threats.

Tech Optimizer

February 28, 2025

How to prevent Windows from installing unauthorised programs

Windows provides tools to enhance security, including the ability to implement a whitelist for applications. Administrators can configure this whitelist using the Local Security Policy tool in Windows Pro and Enterprise versions, or via command prompt in Windows Home. The Applocker feature, available since Windows 10 build 1809, allows for the creation of whitelists and blacklists. Setting up a whitelist involves navigating to Application Control Policies and creating rules for allowed applications, with options to use default rules provided by Microsoft. To set up the Applocker whitelist, users must open Local Security Policy, access AppLocker, and manage executable files through "Executable rules." Administrators can identify applications by file hash or path, with file hash being more secure. The Application Identity service must be activated for Applocker to function, which can be done through the services menu. Unauthorized applications will be blocked, and restarting Windows can resolve any issues with the service. Cyberlock is mentioned as an alternative to Applocker, offering advanced features and requiring a paid license after a trial. Windows also includes Smart App Control to monitor user behavior and restrict installations to verified applications. Kiosk mode can be configured to allow only one application to run, suitable for specific environments. Windows Home users can access the Local Security Policy tool through command prompt integration.

Tech Optimizer

February 11, 2025

10 Best UTM (Unified Threat Management) Firewalls

Unified Threat Management (UTM) firewalls integrate multiple security functionalities into a single platform, streamlining security management and reducing costs for organizations, particularly small and medium-sized enterprises (SMEs). UTM solutions include features such as firewalls, intrusion detection and prevention systems (IDPS), antivirus, anti-spam, VPN, web content filtering, and application control, providing comprehensive protection against various cyber threats. UTM firewalls serve as a gateway between internal networks and external connections, inspecting all traffic to block malicious activity. They continuously monitor for suspicious patterns, scan for malware, filter web access, provide VPN capabilities for secure remote connectivity, and filter emails to protect against spam and phishing. UTM systems offer centralized management through a unified dashboard, receive regular updates for emerging threats, and may include performance optimization features. The distinction between UTM and traditional firewalls lies in UTM's broader range of security functions, acting as a comprehensive security solution rather than solely focusing on real-time malware scanning. Top UTM firewalls include: 1. SonicWall UTM: Intrusion prevention and gateway anti-virus. 2. Sophos UTM: User-friendly management with advanced security measures. 3. Check Point UTM: Comprehensive protections including firewalls and VPNs. 4. Fortinet FortiGate UTM: Integrates security and networking functions. 5. WatchGuard UTM: Balances performance, security, and management ease. 6. Juniper UTM: High-performance security services. 7. Barracuda UTM: Extensive network protection through integrated functions. 8. Stormshield UTM: Proactive defense mechanisms. 9. Huawei Unified Security Gateway (USG): Versatile security protections. 10. Cisco UTM: Integrated security and threat management services. Key features of the best UTM firewalls include application control, advanced threat prevention, reporting and analytics, scalability, endpoint protection, and DDoS protection.

Winsage

December 26, 2024

New Sophisticated Attack Weaponizes Windows Defender to Bypass EDR

A new attack technique exploits Windows Defender Application Control (WDAC) to disable Endpoint Detection and Response (EDR) sensors on Windows systems. Attackers with administrative privileges can create and deploy custom WDAC policies that prevent EDR sensors from loading during system boot, leaving networks vulnerable. The attack involves three phases: crafting a malicious WDAC policy, rebooting the machine to enforce the policy, and disabling the EDR upon reboot. A proof-of-concept tool called "Krueger" has been developed for this purpose. Mitigation strategies include enforcing WDAC policies via Group Policy Objects (GPOs), applying the principle of least privilege, and implementing secure administrative practices.

Winsage

December 8, 2024

Microsoft releases final Windows Server 2025 preview build in 2024

Microsoft has released Windows Server 2025 build 26334 for Windows Insiders, marking the final update for the year, with the next expected in January 2024. This build includes Desktop Experience and Server Core installation options for Datacenter and Standard editions, as well as the Annual Channel for Container Host and Azure Edition for virtual machine evaluation. The branding remains Windows Server 2025 in this preview, and issues reported should reference Windows Server vNext preview. Users enrolled in Server Flighting will receive this build automatically. New features include Windows Defender Application Control for Business (WDAC), which enforces a list of permitted software to minimize the attack surface, and improved accessibility for Windows Admin Center (WAC), allowing installation directly from the Windows Server Desktop for Datacenter or Standard preview users. There are known issues, including a labeling error that may reference Windows 11, which Microsoft plans to fix in a future release. Windows Server build 26334 is valid until September 15, 2025, with specific installation keys provided for Server Standard and Datacenter editions, while no key is required for Azure Edition.

Tech Optimizer

November 27, 2024

Top 5 Free Antivirus Protection Programs (2025)

Free antivirus software provides essential protection against viruses, malware, and online threats without cost. Key features often include real-time scanning, automated updates, and basic security measures. Notable free antivirus programs for 2025 include: - Bitdefender Antivirus Free Edition: Offers real-time protection, on-demand scanning, and anti-phishing features with low system impact. - Avira Free Security: Includes real-time protection, web protection, a VPN, a password manager, and a system optimizer. - Sophos Home Free: A cloud-managed solution that uses AI for threat detection and includes parental controls. - AVG AntiVirus Free: Known for reliable protection against malware and includes a ransomware decryption tool. - Microsoft Defender: Built into Windows, it provides decent protection and receives regular updates. Choosing the right antivirus depends on individual needs; options vary in features and performance impact. Free antivirus programs typically lack advanced features found in paid versions, such as comprehensive malware detection, firewall protection, and priority customer support. Independent labs test antivirus software for effectiveness, focusing on detection rates, false positives, and performance impact. Some free antivirus tools offer additional features like password managers and limited VPN access, but many advanced functions require payment. Overall, while free antivirus solutions may not be as comprehensive as paid options, they still provide solid protection for everyday users.

Winsage

November 13, 2024

Zero Day Initiative — The November 2024 Security Update Review

Microsoft has addressed a limited number of critical vulnerabilities, including two related to privilege escalation: one associated with VMSwitch that allows low-privileged users on a guest OS to execute code with SYSTEM privileges on the host OS, and another in a cloud service that has been mitigated. The updates include over 50 code execution vulnerabilities, primarily affecting SQL Server, with CVE-2024-49043 requiring urgent attention for updates to OLE DB Driver versions 18 or 19. Several vulnerabilities in Office components were identified, and the Telephony service revealed six remote code execution vulnerabilities, notably an SMBv3 vulnerability that can exploit a malicious SMB client against an affected SMB server in SMB over QUIC configurations. A CVSS 9.9 rated vulnerability in Azure CycleCloud could allow root-level access, and an RCE vulnerability in TouchGeo was also identified. Over two dozen fixes for privilege escalation vulnerabilities were released, including USB Video Class System vulnerabilities requiring physical access and vulnerabilities in Azure Database for PostgreSQL that could grant SuperUser privileges. Two Security Feature Bypass vulnerabilities were addressed, one in Word and another in Windows Defender Application Control. Two spoofing vulnerabilities were identified in Exchange Server and DNS, and four denial-of-service vulnerabilities were reported, including one in Hyper-V that could facilitate cross-VM attacks. The final Patch Tuesday of 2024 is scheduled for December 10.