Skip to content
/ AppLockerLab Public

Intentionally vulnerable AppLocker policy used to demonstrate several allowlisting misconfigurations

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rustla/AppLockerLab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
AppLockerPlayground.xml
AppLockerPlayground.xml
 
 
README.md
README.md
 
 

Repository files navigation

AppLocker Playground

An intentionally vulnerable AppLocker policy used to demonstrate several allowlisting misconfigurations.

Usage

  1. Open Local Security Policy in a Windows VM - preferrably Server OS (Enterprise needed for workstation OS variants)
  2. Import the AppLockerPlayground.xml into the Application Control Policies section
  3. Run gpupdate /force
  4. Run net start appidsvc as an administrative user
  5. Login as a user with standard privileges

Policy Build Notes

The policy was built using AaronLocker, then lightly customised.

  1. .\Create-Policies.ps1
  2. Added "C:\ProgramData\*" to .\CustomizationInputs\GetSafePathsToAllow.ps1
  3. Added the following to .\CustomizationInputs\UnsafePathsToBuildRulesFor.ps1:
# Permit any signed files required by VMware
@{
label = "VMware Tools";
paths = "C:\Program Files\VMware";
pubruleGranularity = "pubOnly";
}
  1. Removed OneDrive path from .\CustomizationInputs\UnsafePathsToBuildRulesFor.ps1
  2. Re-scanned with customised inputs .\Create-Policies.ps1 -rescan
  3. Imported the policy using Local Security Policy to a fresh VM
  4. Removed ~20 rules related to OneDrive
  5. Added a publisher rule permitting MSBuild
  6. Exported the policy to XML

About

Intentionally vulnerable AppLocker policy used to demonstrate several allowlisting misconfigurations

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published