Enumerating AppLocker Config

Very quick post to explore some different ways to enumerate the AppLocker configuration being applied to a host, both remotely and locally. Understanding these rules, particularly deny rules, are useful for engineering bypasses.

Remote Enumeration

If the AppLocker configuration is being applied via GPO, which is probably the most likely scenario, it’s really easy to pull the configuration from SYSVOL if you have read access to the share. I already talked about how to find GPO’s and which machines they apply to in my LAPS - Part 1 post; and pulling the relevant Registry.pol is exactly the same process as described there.

Once you’ve parsed the file, it will look something like this:

Happily, it’s all rather self-explanitory - we can see that this particular configuration is part of the default rule set that allows everyone to run executables from %PROGRAMFILES%.

A deny rule looks like this:

There are three methods for applying a deny rule - Publisher, Path and File Hash. This is an example of a Publisher rule, as shown by the FilePublisherRule Id and FilePublisherCondition blocks.

Local Enumeration

If you can find a method of accessing the registry, you can also pull these values directly from there. Granted, that could be a chicken and egg problem. Maybe you will find that cmd.exe is blocked, but regedit.exe is not; or some other workaround.

Even without prior knowledge from the GPO, we know that they will appear in HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2. There are keys for Appx, Dll, Exe, Msi and Script.