There are 5 applocker rule collections. These are the types of applications that
|Executables||.exe and .com|
|Windows Installer files||Determines if Msiexec.exe will process an installer|
|Scripts||.ps1, .bat, .cmd, .js, .vbs|
- Each set of collections can be turned on or off.
- Each set of collections can be set to audit or enforce mode.
Decides how a rule applies. Path, Publisher or Hash.
Check which policies are applied to a device
Unfortunately this does not work for Applocker policies applied via Intune Applocker CSP
Get-AppLockerPolicy -Effective -Xml
Download AccessChk (Optional)
- Does scanning of writable directories and some other things.
Find executables under writeable directories
.\Scan-Directories.ps1 -WritableWindir -WritablePF -Excel
The below finds directories in the root of C that may need further analysis.
.\Scan-Directories.ps1 -FindNonDefaultRootDirs -Excel
.\Scan-Directories.ps1 -DirsToSearch \<Directory\> from above
If the paths above show anything then you will need to manually exclude the files/folder/certificate.
- If safedir –> you can add the path to GetSafePathsToAllow.ps1
- If unsafedir –> you can use the hash/files/certificate
Unsafe Path Rules
Trusted Signers (Trust EVERYTHING by that signer)
Trusted Executables (Build rules that require a certain file name and certain signer (Optionally version) automatically)
Safe Path Rules
IF it is a SafeDir:
- Use Path rules to allow. GetSafePathsToAllow.ps1
- This can also be used for unsafe DIRs to completely exclude e.g. C:\Temp. But, if someone knows about this, it will bypass applocker 🙂
For Unsafe Dirs:
- Generate Publisher and hash rules. UnsafePathsToBuildRulesFor.ps1
- TrustedSigners.ps1 – Allow all executables from certain publishers.
Apply Policy Locally
Check logs for blocked/audited events
DeviceEvents | where ActionType in ("AppControlAppInstallationAudited","AppControlExecutableAudited","AppControlPackagedAppAudited","AppControlScriptAudited") | where FileName !startswith "__PSSCRIPTPOLICYTEST" | summarize count() by FileName,DeviceName,InitiatingProcessFileName,ActionType
DeviceEvents | where ActionType in ("AppControlAppInstallationBlocked","AppControlExecutableBlocked","AppControlPackagedAppBlocked","AppControlScriptBlocked") | where FileName !startswith "__PSSCRIPTPOLICYTEST" //| summarize count() by FileName,DeviceName,InitiatingProcessFileName,ActionType
Clear Applocker logs
Check if Applocker applied
Go to C:\Windows\System32\AppLocker\MDM
It will have “Policy” files that are flat XML files