I thought it would be useful to have a blog post about two different techniques you can use to bypass AppLocker if you are an admin on a host that has AppLocker enabled. The first technique that uses the GUI was briefly discussed in a tweet I posted a while back: https://twitter.com/Oddvarmoe/status/996147947975962624 My goal with this … Continue reading Bypassing AppLocker as an admin
Tag: AppLocker
%Temp%orary Constrained Language mode in AppLocker
TL;DR Done as a normal user without admin privs Change %TEMP%/%TMP% to point to a location that allows execution of scripts defined by AppLocker Start Powershell with the new environment variables that you set for %TEMP%/%TMP% and profit! Background This blogpost covers a technique I discovered when digging further into AppLocker to bypass Powershell Constrained … Continue reading %Temp%orary Constrained Language mode in AppLocker
AppLocker – Making sure that local rules are removed
This is just a quick blogpost about a thing I forgot to write about a long time ago. One issue with AppLocker is that when someone gets admin access on a box they can create local AppLocker rules that will be combined with the Group Policy AppLocker rules. This is explained in this tweet here: https://twitter.com/Oddvarmoe/status/996147947975962624 … Continue reading AppLocker – Making sure that local rules are removed
AppLocker for admins – Does it work?
A thing I see a lot is that AppLocker is used to "protect" servers and prevent admins from doing certain things. In this post I want to go over what sort of security this gives so that everyone can see Pros and Cons. A thing to remember is that an administrator has all the rights … Continue reading AppLocker for admins – Does it work?
Real whitelisting attempt using AppLocker
I wanted to try and see if I was able to use AppLocker to only allow needed files (Real whitelisting). Normally what you would do when setting up AppLocker is that you would start out by trusting something. This something could either be everything under C:\windows and c:\programfiles, or it could be every file that … Continue reading Real whitelisting attempt using AppLocker
Putting data in Alternate data streams and how to execute it
Part 2 of this research can be found here: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ I always had a fascination about ADS (Alternate data streams) and using it as part of a persistence. My first meeting with this as a persistence technique was when Matt Nelson aka @Enigma0x3 wrote a blogpost about using it: https://enigma0x3.net/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/ Quite recently I have started to play … Continue reading Putting data in Alternate data streams and how to execute it
Harden Windows with AppLocker – based on Case study part 2
For details on how the default rules works and how to implement them please see part 1 of the hardening posts here: https://oddvar.moe/2017/12/13/harden-windows-with-applocker-based-on-case-study-part-1/ Hardening In "AppLocker – Case study – How insecure is it really? – Part 2" we concluded that there is 1 definitive bypass technique that works and 2 possible ones. If … Continue reading Harden Windows with AppLocker – based on Case study part 2
AppLocker – Case study – How insecure is it really? – Part 2
This is part two of my blog series about the different bypasses that are supposed to work against AppLocker. I will, as I did in part 1 focus on the default rules in AppLocker. More details on the test technique and other juicy details can be found in my part 1 blogpost here (makes sense … Continue reading AppLocker – Case study – How insecure is it really? – Part 2
Harden Windows with AppLocker – based on Case study part 1
This blogpost is actually a tribute to Matt Graeber's request from twitter. Since I have learned so much stuff from that guy, I take these sort of request really seriously. In my post about how insecure AppLocker really are we concluded that the only valid bypass technique (from the 7 I tested) was actually … Continue reading Harden Windows with AppLocker – based on Case study part 1
AppLocker – Case study – How insecure is it really? – Part 1
I often hear that AppLocker is not very safe and it is easy to bypass. Since I really like AppLocker and I recommend it to customers, I decided to do this blogpost series and go over the different bypasses that we know of and see if they are working towards a default configured AppLocker setup. … Continue reading AppLocker – Case study – How insecure is it really? – Part 1