Applocker Basics

Practical LAB : HTB(Hathor)

If you want to create Applocker rule

In summary the following are allowed to run:

  • Appx - Only signed

  • Dll

    • Signed by Microsoft

    • In Program Files and Windows folders

    • Run by admin group

    • C:\share\scripts\7-zip64.dll or C:\Get-bADpasswords\PSI\Psi_x64.dll

  • Exe

    • Explicitly blocks known AppLocker bypasses even signed by Microsoft, including MSDT.exe, PRESENTATIONHOST.exe, MSHTA.exe, MSBUILD.exe, INSTALLUTIL.exe

    • Allow Signed by administrator@windcorp.com, AutoIt, or Microsoft (if not in above)

    • Explicitly blocks known paths, like %SYSTEM#2%\Tasks:*, %SYSTEM32%\regvr32, %SYSTEM32%\spool\drivers\color:*, etc.

    • In Program Files and Windows folders

    • Run by admin group

    • C:\share\Bginfo64.exe.

  • Msi

    • Signed

    • In C:\Windows\Installer

    • Run by admin group

  • Scripts

    • Signed by administrator@windcorp.htb

    • In Program Files and Windows folders

    • Run by admin group

    • C:\script\login.cmd

PreviousWindows Security ControlsNextPowershell Cheat sheet

Last updated