nerdexam
GIAC

GCIH · Question #775

How does the use of endpoint application allow lists impact malware attacks against the system?

The correct answer is B. An attacker must obfuscate their code and scripts. Application allow lists block unapproved binaries by hash or signature, forcing attackers to pivot to script-based attacks with obfuscation to evade policy enforcement.

Malware Analysis & Advanced Persistent Threats

Question

How does the use of endpoint application allow lists impact malware attacks against the system?

Options

  • AAn attacker must encrypt their attack tools
  • BAn attacker must obfuscate their code and scripts
  • CAn attacker must generate new code hashes
  • DAn attacker must modify their attack tool use

How the community answered

(27 responses)
  • A
    4% (1)
  • B
    78% (21)
  • C
    7% (2)
  • D
    11% (3)

Why each option

Application allow lists block unapproved binaries by hash or signature, forcing attackers to pivot to script-based attacks with obfuscation to evade policy enforcement.

AAn attacker must encrypt their attack tools

Encrypting an executable does not change the binary's path or hash as seen by the allow list policy, so it remains blocked regardless of encryption.

BAn attacker must obfuscate their code and scriptsCorrect

Allow lists enforce hash- or certificate-based execution control, blocking known attacker binaries outright. Attackers respond by obfuscating interpreted scripts (PowerShell, VBScript, WMI) whose content is evaluated at runtime, making static hash matching ineffective and allowing malicious logic to execute through trusted interpreter processes.

CAn attacker must generate new code hashes

Generating a new binary with a different hash still produces a hash that is not on the allow list, so execution is still denied.

DAn attacker must modify their attack tool use

Modifying tool use is too vague and does not describe a specific technical bypass; obfuscation of scripts is the precise technique used to evade hash-based allow list enforcement.

Concept tested: Application allow list bypass via script obfuscation

Source: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview

Topics

#application allowlisting#malware evasion#obfuscation#endpoint security

Community Discussion

No community discussion yet for this question.

Full GCIH Practice