What is command line whitelisting?

Daniel Keller

Daniel Keller

Level 2
Thread author
Verified
Dec 28, 2016
86
257
65
Germany
Hi everybody,

in terms of anti exe tools like Bouncer or ERP I see people talking about importance of "command line white-listing". I did some research but did not find any useful information on what this exactly means nor in which circumstances it is useful / necessary.

I guess that a tool that is not white-listed by path also can't run if started using the command line. So "command line white-listing" means, that an already white-listed program could only run using certain command line parameters?

I´m bit confused about the topic. Could you help me out?
 
  • Like
Reactions: Sunshine-boy
In my understanding, the specified program can execute only whitelisted command lines. So, instead of whitelisitng the whole process, and therefore all of its command lines are whitelisted, the command lines of this process are selectively whitelisted. This avoids malware from readily using the vulnerable process to execute unrestrained. This gives more security. :)
 
  • Like
Reactions: AtlBo, Sunshine-boy, harlan4096 and 5 others
Daniel Keller said:
in terms of anti exe tools like Bouncer or ERP I see people talking about importance of "command line white-listing".
I guess that a tool that is not white-listed by path also can't run if started using the command line. So "command line white-listing" means, that an already white-listed program could only run using certain command line parameters?
Click to expand...
This is mostly about "Parent-Child" processes relationship.
A command line usually signifythat Parent Process A try to execute Child Process B
if you whitelist A to only execute B , so only B will be executed , not C, D, etc... opposed to just whitelisting A , which means you allowed A to execute anything it want.
 
  • Like
Reactions: AtlBo, Sunshine-boy, Myriad and 3 others
Daniel Keller said:
I guess that a tool that is not white-listed by path also can't run if started using the command line.
Click to expand...
From what I've understand, you can add to the whitelist all the trusted commandline strings frequently used from processes listed in the vulnerable processes list.
So technically, Windows uses an array of strings, passing to a program (anti-exe in our case) a series of parameters, listed in the command line.
This is because a program written in C++ can be launched from the operating system as a command, and may be accompanied by parameters.
C++ (like C) transforms these parameters in the arguments passed to the function "main", so that the program can process them.

This is what I remember about C/C++ programming, correct me if I'm wrong.
 
  • Like
Reactions: AtlBo, Sunshine-boy, Myriad and 3 others
Yes, you are talking about that I think ?
Code: 
#include <stdio.h>
#include <conio.h>
int main( int argc, char *argv[] )
{
  int i;
  if( argc >= 2 )
   {
   printf("The arguments supplied are:\n");
   for(i=1;i< argc;i++)
   {
    printf("%s\t",argv[i]);
   }
   }
   else
   {
    printf("argument list is empty.\n");
   }
 getch();
 return 0;
}
 
  • Like
Reactions: AtlBo, Myriad, frogboy and 2 others
In ERP, you usually talk about command lines in connection with vulnerable processes.
Because if you don't whitelist specific command line strings, you will keep getting prompts all the time, even if you allowed it before.
 
  • Like
Reactions: AtlBo and XhenEd
lab34 said:
Yes, you are talking about that I think ?
Code: 
#include <stdio.h>
#include <conio.h>
int main( int argc, char *argv[] )
{
  int i;
  if( argc >= 2 )
   {
   printf("The arguments supplied are:\n");
   for(i=1;i< argc;i++)
   {
    printf("%s\t",argv[i]);
   }
   }
   else
   {
    printf("argument list is empty.\n");
   }
 getch();
 return 0;
}
Click to expand...
Yes, it takes parametres and then it processes them along with cycles (if, while, for, etc.).
 
  • Like
Reactions: AtlBo, XhenEd, lab34 and 1 other person
Thank you everybody for clarification.
To use an example: we speak about thinks like svchost or regsrv32 which could be used to load services or dll files by using command line, right?
So command line white-listing could be used to restrict what these parent services could be used for?!
 
  • Like
Reactions: AtlBo and XhenEd
Umbra said:
This is mostly about "Parent-Child" processes relationship.
A command line usually signifythat Parent Process A try to execute Child Process B
if you whitelist A to only execute B , so only B will be executed , not C, D, etc... opposed to just whitelisting A , which means you allowed A to execute anything it want.
Click to expand...

Precisely so !
Excellent post , thank you .

Winter Soldier said:
From what I've understand, you can add to the whitelist all the trusted commandline strings frequently used from processes listed in the vulnerable processes list.
So technically, Windows uses an array of strings, passing to a program (anti-exe in our case) a series of parameters, listed in the command line.
This is because a program written in C++ can be launched from the operating system as a command, and may be accompanied by parameters.
C++ (like C) transforms these parameters in the arguments passed to the function "main", so that the program can process them.

This is what I remember about C/C++ programming, correct me if I'm wrong.
Click to expand...

My C/C++ coding skills are gathering dust and cobwebs in a corner of my mind :)

But that is how I recall things also .... thanks !
 
  • Like
Reactions: AtlBo, XhenEd and Winter Soldier
Umbra said:
This is mostly about "Parent-Child" processes relationship.
A command line usually signifythat Parent Process A try to execute Child Process B
if you whitelist A to only execute B , so only B will be executed , not C, D, etc... opposed to just whitelisting A , which means you allowed A to execute anything it want.
Click to expand...

I wonder if AppLocker will ever support a "Parent-Child" relationship like Bouncer?
 
  • Like
Reactions: AtlBo
You must log in or register to reply here.

You may also like...