GCIH · Question #775
How does the use of endpoint application allow lists impact malware attacks against the system?
The correct answer is B. An attacker must obfuscate their code and scripts. Application allow lists block unapproved binaries by hash or signature, forcing attackers to pivot to script-based attacks with obfuscation to evade policy enforcement.
Question
How does the use of endpoint application allow lists impact malware attacks against the system?
Options
- AAn attacker must encrypt their attack tools
- BAn attacker must obfuscate their code and scripts
- CAn attacker must generate new code hashes
- DAn attacker must modify their attack tool use
How the community answered
(27 responses)- A4% (1)
- B78% (21)
- C7% (2)
- D11% (3)
Why each option
Application allow lists block unapproved binaries by hash or signature, forcing attackers to pivot to script-based attacks with obfuscation to evade policy enforcement.
Encrypting an executable does not change the binary's path or hash as seen by the allow list policy, so it remains blocked regardless of encryption.
Allow lists enforce hash- or certificate-based execution control, blocking known attacker binaries outright. Attackers respond by obfuscating interpreted scripts (PowerShell, VBScript, WMI) whose content is evaluated at runtime, making static hash matching ineffective and allowing malicious logic to execute through trusted interpreter processes.
Generating a new binary with a different hash still produces a hash that is not on the allow list, so execution is still denied.
Modifying tool use is too vague and does not describe a specific technical bypass; obfuscation of scripts is the precise technique used to evade hash-based allow list enforcement.
Concept tested: Application allow list bypass via script obfuscation
Source: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview
Topics
Community Discussion
No community discussion yet for this question.