In this post I will cover how to go beyond the default rules in AppLocker and harden it to prevent msbuild.exe from working. I will explain different methods of mitigating using AppLocker. But before we dive into rule making, let me first explain the default rules in detail.

Coincidentially with the beggining of an APT simulation engagement in the Red Team, a patch was issued my Microsoft fixing some vulnerabilities (CVE-2017-11826) affecting MS Office. The patch, which fixed a memory corruption bug, was first published on October 10th. On October 11th, Quihoo 360 Core Security reported having found malware exploiting said vulnerability during the previous month.

WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored by JBoss, now developed by Red Hat. WildFly is written in Java, and implements the Java Platform, Enterprise Edition (Java EE) specification. It runs on multiple platforms. WildFly is free and open-source software, subject to the requirements of the GNU Lesser General Public License (LGPL), version 2.1.

Tiredful API is intentionally designed broken app. The aim of this web app is to teach developers, QA or security professionals about flaws present in webservices (REST API) due to insecure coding practice.

ProcDump is a Linux reimagining of the classic ProcDump tool from the Sysinternals suite of tools for Windows. ProcDump provides a convenient way for Linux developers to create core dumps of their application based on performance triggers.

Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface, Quasar is the perfect remote administration solution for you.

David “dwizzzle” Weston Securing Windows Defender Application Guard Microsoft, Windows and Devices Device Security Group Manager Saruhan “manbun” Karademir Information Security Microsoft, Windows and Devices

ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.