Notes on Application Control

This post discusses the topic of application control. Its purpose is to investigate areas where operations teams should focus on when configuring settings to prevent bypasses. Insufficiently configured application control provides a false sense of security on the defending organization and allows attackers to execute unauthorized software.

The post is divided in the following sections:

Introduction

Application Control is a set of security practices and technologies designed to manage, restrict and monitor the applications running on a network or device. The concept introduces an additional layer of security, as it allows the implementation of rules that define which applications are allowed to run or are blocked. This is certainly useful in defending systems from unauthorized software.

Various application control products exist in the market, some of which are:

This post does not necessarily reflect the author’s personal experience with the discussed products or techniques. Instead, it serves as an anthology of publicly documented techniques, insights gained from personal research, and knowledge shared through discussions and interviews with other cybersecurity professionals and practitioners.

Ivanti Application Control

This section discusses Ivanti’s Application Control.

Readable Application Control Exclusions (Registry)

Various settings for Ivanti application control exclusions are located in the following registry keys:

More specifically, exclusion settings are located in HKEY_LOCAL_MACHINE\SOFTWARE\AppSense Technologies\Application Manager\DriverParameters (value name ExProcessNames), per Ivanti documentation available at [12]. Additional settings are located in HKEY_LOCAL_MACHINE\Software\AppSense\Environment Manager\AsModLdr (value name Exceptions), documented in [13]. Searching for potential exclusions should be expanded to include additional registry keys, as the names may not be consistent in newer versions of the software.

These settings may be accessible to standard users, potentially allowing them to review the exclusions and circumvent application control policies.

Readable Application Control Settings (Filesystem)

Per Ivanti’s official documentation [1], the Application Control configuration for certain AppSense deployments are located in C:\ProgramData\AppSense\Application Manager\Configuration (also referred to as %ALLUSERSPROFILE%\AppSense\Application Manager\Configuration). The file configuration.aamp can be a useful resource for attackers, as it includes the Application Control configuration. This file is actually a compressed directory (PK header) and therefore by changing the extension to .zip it is possible to open and review its contents. The directory tree includes human-readable configuration files in XML format.

Therefore, Operations teams should be aware of this risk and adjust the file permissions to limit users’ ability to read the Application Control configuration.

Coverage Gaps Allow Application Control Bypass

When someone knows the set of rules applied on a system, it becomes easier to then work around those rules and identify coverage gaps that might be exploited, allowing bypasses of security protocols.

For example, if %LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe is not blocked or it is expilicitly allowed to run, a user with malicious intent could copy the Windows command prompt application from C:\Windows\System32\ to %LOCALAPPDATA%\Microsoft\OneDrive\ and rename it to OneDrive.exe to be able to run it. This effectively can bypass the Application Control and unlock key functionality that can further be used to the attacker’s benefit.

In the same way, when a specific path is allowed by the rules, a malicious user with write access to that path could simply copy unauthorized there and run it.

BeyondTrust Endpoint Privilege Management

This section discusses BeyondTrust’s Endpoint Privilege Management.

At the time of writing documentation it was not easy to find relevant documentation, however references in various webpages ([5], [6], [7], [8], [9]) point to the direction of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Avecto\Privilege Guard Client for exclusions related to BeyondTrust (Avecto) application control functionality.

Breadcrumbs of information are also listed in [10] (mention of Defendpoint Service, PGHook (user space), PGDriver (kernel space)).

PGHook.dll - Privileged Guard Hook, is a DLL that is loaded in the address space of processes and implements the application control functionality. High level information can be found in [11].

Airlock Allowlisting and Execution Control

This section discusses Airlock’s Allowlisting and Execution Control.

Overwrite Allowlisting Software Driver

It is possible to neutralize the Airlock allowlisting functionality by replacing the Airlock.sys, one of Airlock’s drivers. This vector requires higher level of access, as the driver is a protected resource. However, when combined with other misconfigurations in an environment (such as privileged processes copying files to locations that standard users have write access to), it can ultimately lead to a bypass of the implemented security control.

This technique was documented by Danyal Drew [3] in [4].

Application Control Attack Matrix

The following matrix, maps attack techniques to their MITRE ATT&CK framework tactics and techniques.

  Ivanti
Application Control (AC)		 Airlock
Allowlisting and Execution Control		 BeyondTrust
Endpoint Privilege Management
Discovery
(Security Software Discovery)		 Read application control configuration (filesystem)

Read application control configuration (registry)		 - Read application control configuration (registry)
Defense Evasion
(Exploitation for Defense Evasion)		 Rename an executable to match the name of allowed executable

Copy executable to an allowed location		 - Copy executable to an allowed location
Defense Evasion
(File and Directory Permissions Modification)		 - Replace allowlisting driver -

* The attack techniques matrix was inspired by the SCCM Attack Matrix of Misconfiguration Manager [2]

Closing Remarks

Application controls combined with Antivirus and Endpoint Detection and Response (EDR) software constitutes a defense-in-depth approach. All these technologies together provide a multi-layered defense capable of detecting, preventing and responding to threat at various stages of an attack lifecycle. It is therefore critical to configure them appropriately and perform regular audits to ensure they function in alignment with business needs.

References

[1] https://help.ivanti.com/ap/help/en_US/am/2024/Content/Application_Manager/Configuration.htm

[2] https://github.com/subat0mik/Misconfiguration-Manager#sccm-attack-matrix

[3] https://x.com/danyaldrew

[4] https://www.silentgrid.com/blog/story-from-the-trenches-junction-bug-elevation/

[5] https://kcm.trellix.com/corporate/index?page=content&id=KB83123

[6] https://github.com/microsoft/WSL/issues/11033#issuecomment-1978933134

[7] https://enterprisesecurity.hp.com/s/article/Bromium-and-Third-Party-Software-Interoperability-Guide#AvectoPrivilegeGuard

[8] https://www.autodesk.com/support/technical/article/caas/sfdcarticles/sfdcarticles/Avecto-Defendpoint-conflicts-with-AutoCAD.html

[9] https://knowledge.broadcom.com/external/article/292223/endpoint-standard-repuxexe-error-0xc0000.html

[10] https://beekeepers.beyondtrust.com/windows-macos-7/useful-epm-w-knowledgebase-articles-5457

[11] https://www.file.net/process/pghook.dll.html

[12] https://forums.ivanti.com/s/article/Application-Control-Exclude-Engineering-Values

[13] https://forums.ivanti.com/s/article/Recommended-Anti-Virus-and-AppSense-Exclusions


tags: #application control