Applocker Basics
Practical LAB : HTB(Hathor)
If you want to create Applocker rule
In summary the following are allowed to run:
Appx - Only signed
Dll
Signed by Microsoft
In Program Files and Windows folders
Run by admin group
C:\share\scripts\7-zip64.dll
orC:\Get-bADpasswords\PSI\Psi_x64.dll
Exe
Explicitly blocks known AppLocker bypasses even signed by Microsoft, including
MSDT.exe
,PRESENTATIONHOST.exe
,MSHTA.exe
,MSBUILD.exe
,INSTALLUTIL.exe
Allow Signed by
administrator@windcorp.com
, AutoIt, or Microsoft (if not in above)Explicitly blocks known paths, like
%SYSTEM#2%\Tasks:*
,%SYSTEM32%\regvr32
,%SYSTEM32%\spool\drivers\color:*
, etc.In Program Files and Windows folders
Run by admin group
C:\share\Bginfo64.exe
.
Msi
Signed
In
C:\Windows\Installer
Run by admin group
Scripts
Signed by administrator@windcorp.htb
In Program Files and Windows folders
Run by admin group
C:\script\login.cmd
Last updated