# AppLocker

{% embed url="<https://github.com/api0cradle/UltimateAppLockerByPassList>" %}

`restrict which apps and files a user can run`. Rules may be applied to the following file types:

* `Executable files`: .exe, .com
* `Windows Installer files`: .msi, .msp
* `Scripts`: .js, .ps1, .vbs, .cmd, .bat
* `Packaged apps`: .aappx
* `Dynamic-Link Libraries`: .dll

{% hint style="success" %}
In practice, `Dynamic-Link libraries` are not typically restricted, since `Microsoft` requires administrators to explicitly enable this rule collection due to reduced system performance issues.
{% endhint %}

## Enumerating AppLocker

```powershell
Get-AppLockerPolicy -Effective -Xml
```

```xml
<SNIP>
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
    <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
    </Conditions>
</FilePathRule>
<SNIP>
```

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/applocker/test-applockerpolicy?view=windowsserver2022-ps>" %}

```powershell-session
PS C:\Users\max> Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Tools\SysinternalsSuite\procexp.exe -User max

FilePath                                PolicyDecision MatchingRule
--------                                -------------- ------------
C:\Tools\SysinternalsSuite\procexp.exe DeniedByDefault

PS C:\Users\max> Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path C:\Tools\SysinternalsSuite\procexp.exe -User maria

FilePath                               PolicyDecision MatchingRule
--------                               -------------- ------------
C:\Tools\SysinternalsSuite\procexp.exe        Allowed (Default Rule) All files
```

## Exploiting the Default Ruleset

{% hint style="success" %}
*`C:\Windows\Temp\` is a default AppLocker Exclusion Path*
{% endhint %}

```xml
...[SNIP]...
<RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePathCondition Path="%PROGRAMFILES%\*" />
        </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePathCondition Path="%WINDIR%\*" />
        </Conditions>
    </FilePathRule>
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
        <Conditions>
            <FilePathCondition Path="*" />
        </Conditions>
    </FilePathRule>
</RuleCollection>
...[SNIP]...
```

Enumerate folders inside `%WINDIR%` which standard users can both `write to` and `execute from`:

```powershell
Get-ChildItem $env:windir -Directory -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
    $dir = $_;
    (Get-Acl $dir.FullName).Access | ForEach-Object {
        if ($_.AccessControlType -eq "Allow") {
            if ($_.IdentityReference.Value -eq "NT AUTHORITY\Authenticated Users" -or $_.IdentityReference.Value -eq "BUILTIN\Users") {
                if (($_.FileSystemRights -like "*Write*" -or $_.FileSystemRights -like "*Create*") -and $_.FileSystemRights -like "*Execute*") {
                    Write-Host ($dir.FullName + ": " + $_.IdentityReference.Value + " (" + $_.FileSystemRights + ")");
                }
            }
        }
    };
}
```

```powershell-session
PS C:\Users\Administrator> C:\Tools\AppLockerBypassChecker.ps1
C:\Windows\Tasks: NT AUTHORITY\Authenticated Users (CreateFiles, ReadAndExecute, Synchronize)
C:\Windows\Temp: BUILTIN\Users (CreateFiles, AppendData, ExecuteFile, Synchronize)
C:\Windows\tracing: BUILTIN\Users (Write, ReadAndExecute, Synchronize)
C:\Windows\System32\spool\drivers\color: BUILTIN\Users (CreateFiles, ReadAndExecute, Synchronize)
C:\Windows\Temp\MsEdgeCrashpad: BUILTIN\Users (CreateFiles, AppendData, ExecuteFile, Synchronize)
C:\Windows\Temp\MsEdgeCrashpad\attachments: BUILTIN\Users (CreateFiles, AppendData, ExecuteFile, Synchronize)
C:\Windows\Temp\MsEdgeCrashpad\reports: BUILTIN\Users (CreateFiles, AppendData, ExecuteFile, Synchronize)
```

Copying `NotMalware.exe` to `C:\Windows\Tasks`, we notice that `AppLocker` does not prevent us from running the file

A brief look at the default ruleset for restricting `scripts` shows that the same bypass can be used.

```xml
...[SNIP]...
<RuleCollection Type="Script" EnforcementMode="Enabled">
    <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="(Default Rule) All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePathCondition Path="%PROGRAMFILES%\*" />
        </Conditions>
    </FilePathRule>
    <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
        <Conditions>
            <FilePathCondition Path="%WINDIR%\*" />
        </Conditions>
    </FilePathRule>
    <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="(Default Rule) All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow">
        <Conditions>
            <FilePathCondition Path="*" />
        </Conditions>
    </FilePathRule>
</RuleCollection>
...[SNIP]...
```

## LOLBAS: Regasm

{% content-ref url="/pages/hz8g2b3YavRKx6gbLa9j" %}
[LOLBAS / LOLDrivers / LOLESXi](/0xss0rz/antivirus-evasion-defender/lolbas-loldrivers-lolesxi.md)
{% endcontent-ref %}

### Interesting Books <a href="#interesting-book" id="interesting-book"></a>

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems**](https://www.amazon.fr/dp/1718503342?tag=0xss0rz-21) The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/antivirus-evasion-defender/applocker.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.