AppLocker

AppLocker is a Microsoft technology that can enforce whitelisting for application execution. Rules can be extremely specific, but commonly contain loopholes. If you encounter the error This application is blocked by group policy, the machine is enforcing AppLocker rules.

The quickest way to bypass AppLocker is to execute payloads via LOLBins or placing your payload in the C:\Windows\Tasks folder.

Viewing Rules

Manually reviewing AppLocker rules may be necessary if certain LOLBins are locked down. If you have access to PowerShell:

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Get-AppLockerPolicy -effective -xml

Or if you don't:

regedit HKLM\SOFTWARE\Policies\Msft\Windows\SrpV2

Some default rules include:

Allow scripts located in Program Files folder to run.
Allow scripts located in System32 folder to run.

PreviousUAC Bypasses NextAnti-Forensics

Last updated 4 months ago