Enumerating AppLocker Config
Very quick post to explore some different ways to enumerate the AppLocker configuration being applied to a host, both remotely and locally. Understanding these rules, particularly deny rules, are useful for engineering bypasses.
If the AppLocker configuration is being applied via GPO, which is probably the most likely scenario, it’s really easy to pull the configuration from SYSVOL if you have read access to the share. I already talked about how to find GPO’s and which machines they apply to in my LAPS - Part 1 post; and pulling the relevant
Registry.pol is exactly the same process as described there.
Once you’ve parsed the file, it will look something like this:
Happily, it’s all rather self-explanitory - we can see that this particular configuration is part of the default rule set that allows everyone to run executables from
A deny rule looks like this:
There are three methods for applying a deny rule -
File Hash. This is an example of a
Publisher rule, as shown by the
FilePublisherRule Id and
If you can find a method of accessing the registry, you can also pull these values directly from there. Granted, that could be a chicken and egg problem. Maybe you will find that
cmd.exe is blocked, but
regedit.exe is not; or some other workaround.
Even without prior knowledge from the GPO, we know that they will appear in
HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2. There are keys for