Bypass Applocker on SCCM Managed Devices

[FredCyberSecurity]

Hello.

On Config Manager(SCCM) managed devices, the INTERACTIVE user has read, execute and write permissions to C:\Windows\CCM\temp

This bypasses the default rule of applocker by dropping executables in this folder, and make sure that the running user has execute permission.

I have reported this to Microsoft, and they have confirmed that this is a issue, and will make a patch(without ETA)

More info here: https://github.com/FredCyberSecurity/Win11ApplockerBypass

I have some more applocker bypasses, but are waiting confirmation to publicly disclose this from Microsoft.

/Fred

[api0cradle]

Nice find!