# Applocker AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. Applocker prevent message look like this: `Program 'a.exe' failed to run: This program is blocked by group policy. For more information, contact your system administrator At line:1 char:1` ## View AppLocker policy User has a folder which is exempt from AppLocker Policy ``` (Get-AppLockerPolicy -Local).RuleCollections or Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse or reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\560d03c2-b277-4331-8c59-bc7d4eb08359 ``` ![Example for Applocker](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4xwp6Mq18nX8yR4M5z%2Fuploads%2F1m0iRShU9cCKFf63mEaT%2Ffile.png?alt=media) ### PowerShell There is a powershell module named AppLocker, which can query the AppLocker rules that are enforced on the current system. Below is a simple powershell script that outputs the rules in a readable format so you can use this information to bypass them. ``` Import-Module AppLocker [xml]$data = Get-AppLockerPolicy -effective -xml # Extracts All Rules and print them. Write-Output "[+] Printing Applocker Rules [+]`n" ($data.AppLockerPolicy.RuleCollection | ? { $_.EnforcementMode -match "Enabled" }) | ForEach-Object -Process { Write-Output ($_.FilePathRule | Where-Object {$_.Name -NotLike "(Default Rule)*"}) | ForEach-Object -Process {Write-Output "=== File Path Rule ===`n`n Rule Name : $($_.Name) `n Condition : $($_.Conditions.FilePathCondition.Path)`n Description: $($_.Description) `n Group/SID : $($_.UserOrGroupSid)`n`n"} Write-Output ($_.FileHashRule) | ForEach-Object -Process { Write-Output "=== File Hash Rule ===`n`n Rule Name : $($_.Name) `n File Name : $($_.Conditions.FileHashCondition.FileHash.SourceFileName) `n Hash type : $($_.Conditions.FileHashCondition.FileHash.Type) `n Hash : $($_.Conditions.FileHashCondition.FileHash.Data) `n Description: $($_.Description) `n Group/SID : $($_.UserOrGroupSid)`n`n"} Write-Output ($_.FilePublisherRule | Where-Object {$_.Name -NotLike "(Default Rule)*"}) | ForEach-Object -Process {Write-Output "=== File Publisher Rule ===`n`n Rule Name : $($_.Name) `n PublisherName : $($_.Conditions.FilePublisherCondition.PublisherName) `n ProductName : $($_.Conditions.FilePublisherCondition.ProductName) `n BinaryName : $($_.Conditions.FilePublisherCondition.BinaryName) `n BinaryVersion Min. : $($_.Conditions.FilePublisherCondition.BinaryVersionRange.LowSection) `n BinaryVersion Max. : $($_.Conditions.FilePublisherCondition.BinaryVersionRange.HighSection) `n Description: $($_.Description) `n Group/SID : $($_.UserOrGroupSid)`n`n"} } ``` ## Bypass By default allows execution of anything in: `%WINDIR%\*` `%PROGRAMFILES%\*` ### Folders which are whitelisted ``` C:\Windows\Tasks C:\Windows\Temp C:\windows\tracing C:\Windows\Registration\CRMLog C:\Windows\System32\FxsTmp C:\Windows\System32\com\dmp C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\System32\spool\PRINTERS C:\Windows\System32\spool\SERVERS C:\Windows\System32\spool\drivers\color C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter C:\Windows\SysWOW64\FxsTmp C:\Windows\SysWOW64\com\dmp C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System ``` if you can place a file or folder into the path you become the owner of that object and you can change the ACL either in GUI or using ICALS. That includes adding Execute rights and more. If deny execute is inherit you can either disable inheritance or you can use hardlink to a binary file in another folder using one of these commands: `fsutil hardlink create c:\windows\system32\fxstmp\evil.exe c:\myfolder\plantedfile.exe` `mklink /h c:\windows\system32\fxstmp\evil.exe c:\myfolder\plantedfile.exe` You can check the for additional paths by running accesschk from sysinternals and supplying these commands: ``` accesschk -w -s -q -u Users "C:\Program Files" >> programfiles.txt accesschk -w -s -q -u Everyone "C:\Program Files" >> programfiles.txt accesschk -w -s -q -u "Authenticated Users" "C:\Program Files" >> programfiles.txt accesschk -w -s -q -u Interactive "C:\Program Files" >> programfiles.txt accesschk -w -s -q -u Users "C:\Program Files (x86)" >> programfilesx86.txt accesschk -w -s -q -u Everyone "C:\Program Files (x86)" >> programfilesx86.txt accesschk -w -s -q -u "Authenticated Users" "C:\Program Files (x86)" >> programfilesx86.txt accesschk -w -s -q -u Interactive "C:\Program Files (x86)" >> programfilesx86.txt accesschk -w -s -q -u Users "C:\Windows" >> windows.txt accesschk -w -s -q -u Everyone "C:\Windows" >> windows.txt accesschk -w -s -q -u "Authenticated Users" "C:\Windows" >> windows.txt accesschk -w -s -q -u Interactive "C:\Windows" >> windows.txt ``` ### Tools * [**unlock** ](/infrastructure-testing/tools/unlock-applocker.md)**-** Microsoft Applocker evasion tool * [**LOLBas** ](/infrastructure-testing/breakout/lolbas.md)- Living Off The Land Binaries And Scripts ## Resources --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.newerasec.com/infrastructure-testing/breakout/applocker.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.