While I was prepping for a session a while back I made a a little special discovery about AppLocker. Turns out that the files that AppLocker uses under C:\Windows\System32\AppLocker can be used in many cases to bypass a Default AppLocker ruleset. When a machine is deployed and the first user logs in, that user will be added with full access to the following files under that folder:
This does not happen to any other users that logs onto the computer, only the first interactive logon after AppLocker is enabled.
So, how do we abuse this? Since it is likely that the first user that logs onto a computer is the main user. I was not able to directly write to the files since they are locked by AppLocker, but you can add additional Alternate Data Streams and get execution that way.
First you need to add the binary you want to execute into a stream of that file like this:
type evilfile.exe > C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exe
After the file is added to the stream you can verify it by running the following command:
dir /a /r c:\windows\system32\AppLocker\AppCache.dat.LOG1
When you want to execute it you can for instance use WMIC to do that:
wmic process call create 'C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exe'
If you want to know more about Alternate Data streams you can always go and check out my posts on the topic right here:
I did report this to MSRC, but it did not meet the level needed to be serviced. I knew that before I sent it, but still I wanted MSRC to be aware of this. It is stated in this post that AppLocker will not be serviced:
To fix this you should create a deny rules blocking execution from the C:\Windows\System32\AppLocker path, and also remember to block alternate data stream from the same folder.
May 10. 2019 – Report sent to MSRC
May 10, 2019 – Automated response about MSRC received it
May 11, 2019 – Response from MSRC that the submission does not meet the bar for servicing
Also a shout-out to @notajungman that helped me to verify this in a production environment. Thanks!
One thought on “A small discovery about AppLocker”