Applocker Basics

Practical LAB : HTB(Hathor)

If you want to create Applocker rule

In summary the following are allowed to run:

• Appx - Only signed

• Dll

  • Signed by Microsoft

  • In Program Files and Windows folders

  • Run by admin group

  • C:\share\scripts\7-zip64.dll or C:\Get-bADpasswords\PSI\Psi_x64.dll

• Exe

  • Explicitly blocks known AppLocker bypasses even signed by Microsoft, including MSDT.exe, PRESENTATIONHOST.exe, MSHTA.exe, MSBUILD.exe, INSTALLUTIL.exe

  • Allow Signed by administrator@windcorp.com, AutoIt, or Microsoft (if not in above)

  • Explicitly blocks known paths, like %SYSTEM#2%\Tasks:*, %SYSTEM32%\regvr32, %SYSTEM32%\spool\drivers\color:*, etc.

  • In Program Files and Windows folders

  • Run by admin group

  • C:\share\Bginfo64.exe.

• Msi

  • Signed

  • In C:\Windows\Installer

  • Run by admin group

• Scripts

  • Signed by administrator@windcorp.htb

  • In Program Files and Windows folders

  • Run by admin group

  • C:\script\login.cmd