AppLocker rules by default are allowing all the files that are inside in the Windows folder and Program files to be executed as otherwise the system will not operate as normal. If appropriate permissions are not set in these folders an attacker could exploit this in order to bypass AppLocker.

Windows environments (check was done in Windows Server 2008 R2) by default allowing standard users of the system to have read and write access in these folders:

  • C:\Windows\Tasks
  • C:\Windows\Temp
  • C:\Windows\tracing

The accesschk tool can be used to identify if the group “Users” have RW permissions inside the Windows folder.

Weak Permssions in Windows Folder
Weak Permissions n Windows Folder

The next step is to drop the binary into the folder that has weak permissions and execute it. In this case the executable is the legitimate application accesschk64.

AppLocker - Binary Planting to Weak Folder
AppLocker – Binary Planting into Weak Folder

Since the AppLocker rules are allowing files that are contained inside the Windows folder to be executed then the utility would run as normal. Otherwise it will be blocked by the AppLocker rules.

AppLocker - Default Rules
AppLocker – Default Rules
AppLocker Bypass - Weak Path Rules
AppLocker Bypass – Weak Path Rules

Conclusion

Implementing AppLocker by default doesn’t really provide any security measure since it can be bypassed easily. As AppLocker by default trusts Microsoft signed binaries and Windows folders it is essential to evaluate permissions and trusted binaries that can execute code in order to protect effectively the Windows ecosystem.

5 Comments

  1. Thanks!
    In this case, changing by GPO NTFS permissions for this folders could be a solution?
    Best regards!

      1. 1. Users do have write permission to C:\Windows\tracing, but no execution permission on files located there.
        2. Users do not have read permissions to C:\Windows\temp but users can write files into it and also run them if they know there exact path. So this folder should still be added to the exclusions list of the default rule.
        3. The folder tasks should also be added to the exclusions list of that rule.

Leave a Reply to Anonymous Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s