AppLocker

restrict which apps and files a user can run. Rules may be applied to the following file types:

  • Executable files: .exe, .com

  • Windows Installer files: .msi, .msp

  • Scripts: .js, .ps1, .vbs, .cmd, .bat

  • Packaged apps: .aappx

  • Dynamic-Link Libraries: .dll

In practice, Dynamic-Link libraries are not typically restricted, since Microsoft requires administrators to explicitly enable this rule collection due to reduced system performance issues.

Enumerating AppLocker

Get-AppLockerPolicy -Effective -Xml
<SNIP>
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
    <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
    </Conditions>
</FilePathRule>
<SNIP>
PS C:\Users\max> Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Tools\SysinternalsSuite\procexp.exe -User max

FilePath                                PolicyDecision MatchingRule
--------                                -------------- ------------
C:\Tools\SysinternalsSuite\procexp.exe DeniedByDefault

PS C:\Users\max> Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Tools\SysinternalsSuite\procexp.exe -User maria

FilePath                               PolicyDecision MatchingRule
--------                               -------------- ------------
C:\Tools\SysinternalsSuite\procexp.exe        Allowed (Default Rule) All files

Exploiting the Default Ruleset

...[SNIP]...
<RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePathCondition Path="%PROGRAMFILES%\*" />
        </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePathCondition Path="%WINDIR%\*" />
        </Conditions>
    </FilePathRule>
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
        <Conditions>
            <FilePathCondition Path="*" />
        </Conditions>
    </FilePathRule>
</RuleCollection>
...[SNIP]...

Enumerate folders inside %WINDIR% which standard users can both write to and execute from:

Get-ChildItem $env:windir -Directory -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
    $dir = $_;
    (Get-Acl $dir.FullName).Access | ForEach-Object {
        if ($_.AccessControlType -eq "Allow") {
            if ($_.IdentityReference.Value -eq "NT AUTHORITY\Authenticated Users" -or $_.IdentityReference.Value -eq "BUILTIN\Users") {
                if (($_.FileSystemRights -like "*Write*" -or $_.FileSystemRights -like "*Create*") -and $_.FileSystemRights -like "*Execute*") {
                    Write-Host ($dir.FullName + ": " + $_.IdentityReference.Value + " (" + $_.FileSystemRights + ")");
                }
            }
        }
    };
}
PS C:\Users\Administrator> C:\Tools\AppLockerBypassChecker.ps1
C:\Windows\Tasks: NT AUTHORITY\Authenticated Users (CreateFiles, ReadAndExecute, Synchronize)
C:\Windows\Temp: BUILTIN\Users (CreateFiles, AppendData, ExecuteFile, Synchronize)
C:\Windows\tracing: BUILTIN\Users (Write, ReadAndExecute, Synchronize)
C:\Windows\System32\spool\drivers\color: BUILTIN\Users (CreateFiles, ReadAndExecute, Synchronize)
C:\Windows\Temp\MsEdgeCrashpad: BUILTIN\Users (CreateFiles, AppendData, ExecuteFile, Synchronize)
C:\Windows\Temp\MsEdgeCrashpad\attachments: BUILTIN\Users (CreateFiles, AppendData, ExecuteFile, Synchronize)
C:\Windows\Temp\MsEdgeCrashpad\reports: BUILTIN\Users (CreateFiles, AppendData, ExecuteFile, Synchronize)

Copying NotMalware.exe to C:\Windows\Tasks, we notice that AppLocker does not prevent us from running the file

A brief look at the default ruleset for restricting scripts shows that the same bypass can be used.

...[SNIP]...
<RuleCollection Type="Script" EnforcementMode="Enabled">
    <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="(Default Rule) All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePathCondition Path="%PROGRAMFILES%\*" />
        </Conditions>
    </FilePathRule>
    <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePathCondition Path="%WINDIR%\*" />
        </Conditions>
    </FilePathRule>
    <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="(Default Rule) All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow">
        <Conditions>
            <FilePathCondition Path="*" />
        </Conditions>
    </FilePathRule>
</RuleCollection>
...[SNIP]...

LOLBAS: Regasm

LOLBAS
PreviousUser Access ControlNextLOLBAS

Last updated