As an IT and security researcher with over 25 years of experience, I often explore ways attackers try to defeat security tools like application whitelisting.

In this post, I’ll examine an interesting whitelisting evasion technique using BGInfo and discuss updated strategies to detect and prevent similar attacks. I’ll share the detailed steps so you can understand exactly how it works.

Our goal is to raise awareness of this old exploit method so security professionals can anticipate similar attacks.

A Quick Refresher on Application Whitelisting

Application whitelisting allows administrators to exert granular control over what apps can run on a system. A whitelist policy explicitly allows only approved applications while blocking all others. This “default deny” stance significantly raises the bar for attackers attempting to execute malicious code.

Whitelisting solutions typically rely on attributes like cryptographic hashes, certificates, path names, and file properties to identify permitted apps. By using tools like AppLocker on Windows or Santa on macOS, the operating system enforces policies.

Bypassing Whitelisting with BGInfo

BGInfo is a fully legitimate Windows sysadmin tool that displays system properties on the desktop background.

BGInfo is designed to display the current status along with other important information about your system on the desktop background.

The app can spare you the trouble of opening several settings windows, only to learn various aspects about your PC’s configuration, such as the IP address, OS version, computer name, so on and so forth.

However, as outlined in the article, it can also be abused to bypass whitelisting defenses.

  • BGInfo is configurable and accepts external XML files.
  • When BGInfo parses malicious XML, it is possible to make it run arbitrary code.
  • Since BGInfo itself is signed and whitelisted, the code runs with its permissions.
  • Alternatively, the XML can invoke other whitelisted but vulnerable apps, like the HTML help compiler.

This simple but clever trick allows attackers to circumvent whitelisting using only built-in OS tools. While BGInfo has likely been updated to block malicious XML, the underlying technique remains valid.

BGInfo - Default Configuration

The Bypass Technique

1. The Basics

The bypass method involves embedding malicious scripts within BGInfo’s custom field definitions. Since BGInfo is often whitelisted, the embedded script can execute without detection.

2. Creating a Custom Field

A custom field in BGInfo can be created to run a specific command or script. By embedding a malicious script within this custom field, an attacker can execute the script when BGInfo refreshes.

3. Execution

Once the custom field is set up, the malicious script will run every time BGInfo updates the desktop background. This can lead to unauthorized access or other malicious activities.

Here is a simple example XML file that would display the computer name, OS version, and IP address:

BGINFO xml example 1

However, because BGInfo parses and executes any XML given to it, an attacker could abuse this to run unauthorized code. For example:

BGINFO xml example 2

This XML contains the <Execute> element, which will run the specified PowerShell command when BGInfo processes the file, allowing arbitrary code execution.

An attacker could deliver this malicious BGInfo XML via phishing email or by placing it on a network share that administrators access. When an admin runs BGInfo with the malicious config, it would execute the PowerShell command, bypassing application whitelisting since BGInfo itself is an authorized app.

Other payloads, like downloading malware or adding a new admin account, could also be executed this way. Properly securing access to BGInfo and scanning any XML configs can help mitigate this whitelisting bypass technique.

Mitigating the Risk

Understanding the bypass technique is the first step in defending against it. Here’s how you can mitigate the risk:

  1. Monitor BGInfo Custom Fields: Regularly check the custom fields within BGInfo for any unusual or unauthorized scripts.
  2. Restrict User Privileges: Limit the ability of users to modify BGInfo settings.
  3. Update Security Software: Ensure that your security software is up-to-date and capable of detecting this specific bypass method.
  4. Educate Staff: Make sure that your team is aware of this potential risk and follows best practices in using BGInfo.
bginfo command

Modern Whitelisting Evasion Tactics

Actually, attackers have many options to achieve similar goals:

  • Living-off-the-land binaries: Nearly every OS comes with utilities like PowerShell that can be coerced into running unauthorized code.
  • Macro malware: Office documents with malicious VBA macros remain a common phishing payload. Signed Microsoft Office apps are often whitelisted.
  • Memory exploits: Vulnerabilities like buffer overflows can be used to inject malicious code into whitelisted apps already running in memory.
  • DLL hijacking: Malicious DLLs placed in the right directories can be loaded by whitelisted programs instead of legitimate libraries.
  • DLL sideloading: Attackers can trick whitelisted apps into loading untrusted DLLs, often by planting them in the same folder.
  • User deception: Apps requiring user interaction, like cmd.exe, are sometimes whitelisted to enable admin tasks. But users can still be fooled into running unapproved commands.

This is not at all an exhaustive list. The key takeaway is that creative misuse of whitelisted apps and OS features is still a very common attack vector.

Improving Whitelist Policy Security

The best defense is to adopt a rigorous whitelisting methodology focused on security:

  • Only permit known-good apps that are actually required for the specific system/user role; compile the whitelist from scratch instead of using generic templates.
  • Leverage cryptographic signatures/hashes over metadata like filenames or paths that can be manipulated.
  • For scripting languages, restrict permissions to the absolute minimum of required functionality.
  • Isolate commodity office tools like web browsers and document editors in separate sandboxes.
  • Aggressively patch apps on the whitelist to eliminate exploit vectors. Prioritize particularly risky ones, like web browsers.
  • Enable memory protections like DEP and ASLR to thwart memory injection attacks.
  • Continuously monitor policy compliance and investigate any anomalies; don’t just set and forget.
  • Integrate whitelisting with other endpoint controls like antivirus to cover blind spots.
  • Enforce the principle of least privilege: restrict users to only the access they actually need to do their jobs.
Improving Whitelist

Detecting Whitelisting Evasion Attempts

Even a tightly controlled whitelist policy isn’t bulletproof. Monitoring and detection capabilities are crucial to identifying evasion efforts.

Alert on Suspicious Child Process Creation

Watch for blacklisted apps spawning new processes, which may indicate successful code injection into a whitelisted parent app.

For example, the calculator app launching PowerShell is highly suspicious and warrants investigation.

Analyze Memory of Whitelisted Processes

Examine the memory contents and behavior of permitted apps for signs of exploitation, like unexpected DLL loads and code injection.

Correlate Allowed Script Activity with Operations

While general scripting platforms like PowerShell cannot be completely prohibited, log and contextualize their usage.

Tasks like spraying 1000 users with PowerShell scripts should trigger alerts.

Detect Privilege Escalation Attempts

Watch for blacklisted applications attempting to gain elevated permissions through techniques like token impersonation or DLL hijacking.

Monitor Attempts to Import Blacklisted Code

Flag instances of prohibited code libraries like Mimikatz being imported into whitelisted processes.

Detect Disallowed Lateral Movement

Watch for restricted apps using remote capabilities like PSExec and WMI to spread across systems, which could enable evasion of local whitelist policies.

Log All Whitelisted Application Usage

Record execution details like command-line arguments, accessed files, and network connections made by permitted apps. This creates an audit trail to retrace steps if an incident occurs.

The Ongoing Cat and Mouse Game

Application whitelisting remains one of the most powerful protections available to lock down enterprise endpoints. However, it’s still no panacea; creative attackers continue finding ways to bypass even rigorous policies.

Defenders must go beyond the trust placed in whitelisting tools alone. Carefully managed, least-privilege policies paired with robust detection and response capabilities provide the most effective counter to the inevitable attempts to evade and abuse whitelisted apps.

By applying modern whitelisting best practices and vigilantly hunting for anomalies, organizations can still derive immense value from this critical security layer. But they must also acknowledge the intrinsic limitations of any single-point defense against sophisticated threats.

I’ve learned that truly securing an organization is an ongoing process, not a one-and-done product. As attackers continuously evolve, defense requires combining layered security tools with vigilant human monitoring and adaptation.

Other Topics:

Similar Posts