Here is my collection of AppLocker hardening policies I created to disallow some known AppLocker bypasses. I build the rules using the following process:
- Added Oddvar Moe excellent compiled list (https://github.com/api0cradle/UltimateAppLockerByPassList)
- Added Microsoft recommended block rules (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)
- Added my own analysis of Windows Server 2012 R2 and Windows Server 2016 R2
Credits: These rules were created based on the hard work and the dedication of many security professionals, including (twitter accounts): @subtee, @enigma0x3, @mattifestation, @gN3mes1s, @Oddvarmoe, @tifkin_, @aionescu, @NickTyrer, @Hexacorn, @monoxgas, @vector_sec, @KyleHanslovan, @Sudhanshu_C, @bohops, @Moriarty_Meng and @pabraeken
Note: These policies may break things, therefore they are all in Audit Mode. You should test them thoroughly before applying in production environment
- In the Group Policy Management Console (GPMC), open the GPO that you want to edit:
- In the console tree under Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies, click AppLocker:
- Right-click AppLocker, and then click Import Policy:
- In the Import Policy dialog box, locate the XML policy file, and click Open:
- The AppLocker dialog box will notify you of how many rules were imported. Click OK:
Dislaimer: These sample policies are not supported under any standard support program or service. These sample policies are provided AS IS without warranty of any kind. The author further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall the author, or anyone else involved in the creation, production, or delivery of the script be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if the author has been advised of the possibility of such damages.