There are 5 applocker rule collections. These are the types of applications that
Type | Description |
---|---|
Executables | .exe and .com |
Windows Installer files | Determines if Msiexec.exe will process an installer |
Scripts | .ps1, .bat, .cmd, .js, .vbs |
DLLs | Self-explanatory |
Packaged apps | Appx |
Properties
- Each set of collections can be turned on or off.
- Each set of collections can be set to audit or enforce mode.
Rule Criteria
Decides how a rule applies. Path, Publisher or Hash.
Check which policies are applied to a device
Unfortunately this does not work for Applocker policies applied via Intune Applocker CSPGet-AppLockerPolicy -Effective -Xml
Download AccessChk (Optional)
.\Support\DownloadAccesschk.ps1
Generate Policies
.\Create-policies.ps1
- Does scanning of writable directories and some other things.
Find executables under writeable directories
.\Scan-Directories.ps1 -WritableWindir -WritablePF -Excel
The below finds directories in the root of C that may need further analysis.
.\Scan-Directories.ps1 -FindNonDefaultRootDirs -Excel
.\Scan-Directories.ps1 -DirsToSearch \<Directory\> from above
If the paths above show anything then you will need to manually exclude the files/folder/certificate.
- If safedir –> you can add the path to GetSafePathsToAllow.ps1
- If unsafedir –> you can use the hash/files/certificate
Unsafe Path Rules
Trusted Signers (Trust EVERYTHING by that signer)
Trusted Executables (Build rules that require a certain file name and certain signer (Optionally version) automatically)
Safe Path Rules
Programdata
.\Scan-Directories.ps1 -SearchProgramData
IF it is a SafeDir:
- Use Path rules to allow. GetSafePathsToAllow.ps1
- This can also be used for unsafe DIRs to completely exclude e.g. C:\Temp. But, if someone knows about this, it will bypass applocker 🙂
For Unsafe Dirs:
- Generate Publisher and hash rules. UnsafePathsToBuildRulesFor.ps1
- TrustedSigners.ps1 – Allow all executables from certain publishers.
Regenerate Policy
.\Create-policies.ps1
Apply Policy Locally
Audit Mode
.\ApplyPolicyToLocalGPO.ps1 -AuditOnly:$true
Enforce Mode
.\ApplyPolicyToLocalGPO.ps1
Check logs for blocked/audited events
Get-ApplockerEvents.ps1 -Excel
Audit
DeviceEvents
| where ActionType in ("AppControlAppInstallationAudited","AppControlExecutableAudited","AppControlPackagedAppAudited","AppControlScriptAudited")
| where FileName !startswith "__PSSCRIPTPOLICYTEST"
| summarize count() by FileName,DeviceName,InitiatingProcessFileName,ActionType
Blocked
DeviceEvents
| where ActionType in ("AppControlAppInstallationBlocked","AppControlExecutableBlocked","AppControlPackagedAppBlocked","AppControlScriptBlocked")
| where FileName !startswith "__PSSCRIPTPOLICYTEST"
//| summarize count() by FileName,DeviceName,InitiatingProcessFileName,ActionType
Clear Applocker logs
.\ClearAppLockerLogs.ps1
Check if Applocker applied
Go to C:\Windows\System32\AppLocker\MDM
It will have “Policy” files that are flat XML files