There are 5 applocker rule collections. These are the types of applications that

Type Description
Executables .exe and .com
Windows Installer files Determines if Msiexec.exe will process an installer
Scripts .ps1, .bat, .cmd, .js, .vbs
DLLs Self-explanatory
Packaged apps Appx

Properties

  • Each set of collections can be turned on or off.
  • Each set of collections can be set to audit or enforce mode.

Rule Criteria

Decides how a rule applies. Path, Publisher or Hash.

Check which policies are applied to a device

Unfortunately this does not work for Applocker policies applied via Intune Applocker CSP
Get-AppLockerPolicy -Effective -Xml

Download AccessChk (Optional)

.\Support\DownloadAccesschk.ps1

Generate Policies

.\Create-policies.ps1

  • Does scanning of writable directories and some other things.

Find executables under writeable directories

.\Scan-Directories.ps1 -WritableWindir -WritablePF -Excel

The below finds directories in the root of C that may need further analysis.

.\Scan-Directories.ps1 -FindNonDefaultRootDirs -Excel
.\Scan-Directories.ps1 -DirsToSearch \<Directory\> from above

If the paths above show anything then you will need to manually exclude the files/folder/certificate.

  • If safedir –> you can add the path to GetSafePathsToAllow.ps1
  • If unsafedir –> you can use the hash/files/certificate
Unsafe Path Rules

Trusted Signers (Trust EVERYTHING by that signer)

Trusted Executables (Build rules that require a certain file name and certain signer (Optionally version) automatically)

Safe Path Rules

Programdata

.\Scan-Directories.ps1 -SearchProgramData

IF it is a SafeDir:

  • Use Path rules to allow. GetSafePathsToAllow.ps1
  • This can also be used for unsafe DIRs to completely exclude e.g. C:\Temp. But, if someone knows about this, it will bypass applocker 🙂

For Unsafe Dirs:

  • Generate Publisher and hash rules. UnsafePathsToBuildRulesFor.ps1
  • TrustedSigners.ps1 – Allow all executables from certain publishers.

Regenerate Policy

.\Create-policies.ps1

Apply Policy Locally

Audit Mode

.\ApplyPolicyToLocalGPO.ps1 -AuditOnly:$true

Enforce Mode

.\ApplyPolicyToLocalGPO.ps1

Check logs for blocked/audited events

Get-ApplockerEvents.ps1 -Excel

Audit

DeviceEvents
| where ActionType in ("AppControlAppInstallationAudited","AppControlExecutableAudited","AppControlPackagedAppAudited","AppControlScriptAudited")
| where FileName !startswith "__PSSCRIPTPOLICYTEST"
| summarize count() by FileName,DeviceName,InitiatingProcessFileName,ActionType

Blocked

DeviceEvents
| where ActionType in ("AppControlAppInstallationBlocked","AppControlExecutableBlocked","AppControlPackagedAppBlocked","AppControlScriptBlocked")
| where FileName !startswith "__PSSCRIPTPOLICYTEST"
//| summarize count() by FileName,DeviceName,InitiatingProcessFileName,ActionType

Clear Applocker logs

.\ClearAppLockerLogs.ps1

Check if Applocker applied

Go to C:\Windows\System32\AppLocker\MDM

It will have “Policy” files that are flat XML files