Coder Social home page Coder Social logo

aaronlocker's Introduction

Overview

AaronLocker is designed to make the creation and maintenance of robust, strict, application control for AppLocker and Windows Defender Application Control (WDAC) as easy and practical as possible. The entire solution involves a small number of PowerShell scripts. You can easily customize rules for your specific requirements with simple text-file edits. AaronLocker includes scripts that document AppLocker and WDAC policies and capture event data into Excel workbooks that facilitate analysis and policy maintenance.

AaronLocker is designed to restrict program and script execution by non-administrative users. Note that AaronLocker does not try to stop administrative users from running anything they want – and application control solutions cannot meaningfully restrict administrative actions anyway. A determined user with administrative rights can bypass any application control solution.

AaronLocker’s strategy can be summed up as: if a non-admin could have put a program or script onto the computer – i.e., it is in a user-writable directory – don’t allow it to execute unless it has already been specifically allowed by an administrator. This will stop execution if a user is tricked into downloading malware, if an exploitable vulnerability in a program the user is running tries to put malware on the computer, or if a user intentionally tries to download and run unauthorized programs.

AaronLocker works on all supported versions of Windows that can provide AppLocker and is built to support WDAC on Windows 10 version 1903 and above.

Part I of this document is a high-level description of application control concepts, AppLocker, WDAC, and the AaronLocker approach. Part II is the “operations guide” that digs into the details of implementing AaronLocker for your environment.

A personal note from Aaron Margosis (the original creator of AaronLocker): the name “AaronLocker” was Chris (@appcompatguy) Jackson’s idea – not mine – and I resisted it for a long time. I finally gave in because I couldn’t come up with a better name.

Demos

7 minute "Intro to 'AaronLocker'" (circa Feb. 2019): https://youtu.be/nQyODwPR5qo

13 minute "AaronLocker Quick Start" - how to build, customize, and deploy robust and practical AppLocker rules quickly using AaronLocker (circa Feb. 2019): https://youtu.be/E-IrqFtJOKU

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

aaronlocker's People

Contributors

5eant avatar api0cradle avatar jsuther1974 avatar microsoft-github-policy-service[bot] avatar microsoftopensource avatar msftgits avatar rmoreas avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

aaronlocker's Issues

Unable to add exceptions using GetExeFilesToDenyList.ps1

I'm trying to prevent regular users from launching msiexec.exe but when I edit "C:\AaronLocker\CustomizationInputs\GetExeFilesToDenyList.ps1 " as shown below

# Files used by ransomware
"$env:windir\System32\cipher.exe"
"$env:windir\System32\msiexec.exe"

And then re-ran PS C:\AaronLocker> .\Create-Policies.ps1

The resulting .xml rules don't include the new exception.

[----- Publisher exceptions -----]

CIPHER.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS® OPERATING SYSTEM

INSTALLUTIL.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK

MICROSOFT.WORKFLOW.COMPILER.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK`

MSBUILD.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK

MSHTA.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; INTERNET EXPLORER

PRESENTATIONHOST.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS® OPERATING SYSTEM`

REGASM.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK

REGSVCS.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® .NET FRAMEWORK

RUNAS.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS® OPERATING SYSTEM`

WMIC.EXE: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US; MICROSOFT® WINDOWS® OPERATING SYSTEM`

Please, advice.

Updating of documentation to include Code Integrity rules

Just reviewing the documentation and the section unusual EXE/DLL combinations talks about using code integrity rules but has this comment "[[[ Working on this; not ready to release yet. ]]]".

Do you have support for this yet?

Custom AD group for UnSafePath

I'm playing around with AppLocker for a while now.
AaronLocker makes my life easy.
Normally, EXEs and DLLs in UnSafePath are restricted to a specific AD Group. As number of generate rules can be massive (for example Oracle installed in C:\Oracle), and manually reviewing all related rules very boring... if there is an option to specify a custom AD group SID for them wuold be great.
Something like:
@{
label = "Oracle";
paths = "C:\Oracle";
customUserorGroupSid = "S-1-5-21-4163178468-2177354522-4168272174-26602"
}

Other option is using Static rules, but is painfull to keep updated...

Thanks,
David

WDAC rules are not generated on Windows Server 2019

WDAC is supported on Windows Server 2016 and later.
However the Create-Policies script does not generate WDAC policies and reports the following:
AaronLocker supports WDAC on Windows 10 version 1903 (build 18362) and greater. Current build is 17763. Processing AppLocker only.

After I disabled the check in Create-Policies.ps1, the script reports errors on the Set-CIPolicyIdInfo command because on Windows Server 2019 this commandlet does not have a -ResetPolicyID parameter.

Question: WDAC Allow and Deny

Hi,

I have a question about the allow and deny wdac rules.
The documentation states that:

The WDAC Allow and Deny policies can be deployed together or separately based on your specific enforcement requirements.

In my opinion, both types of policies should be deployed to get the maximum protection. Actually ms has there own block rules. Those should definitly be honored.
That means that both policies get deployed to the devices as base policies.
According to the ms documentation, if there are multiple base policies:

If two base policies exist on a device, an application has to be allowed by both to run

The deny-policy contains a "allow everything" rule (also see #28)
The allow-policy contains specific allow rules.
The combination of both will allow all applications to run that are allowed by the allow-policy (because the deny-policy allows all of them, too). And block all other applications because they are either not whitelisted by the allow-policy or denied by the deny policy.

Is that right?

Best regards

Russian accont\group names

Hello.
I use Windows10 (ltsb) and if I generate reports I see "??" instead of groups

<dir name="C:\Windows\Tasks">
<Grantee>NT AUTHORITY\????????? ????????</Grantee>
</dir>
<dir name="C:\Windows\Temp">
<Grantee>BUILTIN\????????????</Grantee>
</dir>

PowerShell 7 / Windows 11 Support

Haven't seen a mention of this anywhere.
Would be great for AaronLocker to be updated, to support PowerShell 7 / Windows 11.
Currently, there are a couple of points.

  • The .ps1 files look for PSVersion 5.1. The way it looks for it (Major -ne 5 -or Minor -ne 1) means that if 7.1 exists it will pass, so that should be improved anyway
  • SupportFunctions.ps1 uses 'Get-Content -Encoding Byte', and Byte encoding type was removed/replaced, so this causes an error

I've been able to modify my copy, but would be useful to have the main branch updated with these changes.

GetSafePathsToAllow creates rules for only last path provided as many times as the number of paths listed

When adding paths to CustomizationInputs/GetSafePathsToAllow.ps1 such as:

### Windows Defender put their binaries in ProgramData for a while. Comment this back out when they move it back.
"%OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\*";
"C:\Test1\*";
"D:\Test2\*";

The output applocker policy creates 3 FilePathRules for D:\Test2\*

<FilePathRule Id="f57ec424-b91a-4304-8593-9cc076cb1432" Name="Additional allowed path: D:\Test2\*" Description="Allows Everyone to execute from D:\Test2\*" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="D:\Test2\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="7a3a4a26-b067-4adb-8cb0-fa5dbacdec09" Name="Additional allowed path: D:\Test2\*" Description="Allows Everyone to execute from D:\Test2\*" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="D:\Test2\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="7d5afda0-1373-4358-8505-f9946c350d95" Name="Additional allowed path: D:\Test2\*" Description="Allows Everyone to execute from D:\Test2\*" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="D:\Test2\*" />
      </Conditions>
    </FilePathRule>

Just a thought regarding NonDefaultRootDirs

Hi,

I may be missing something important but cann't we directly use Scan-Directories.ps1 to factorise parent folder which are not user-writable in all sub-folders?

In this particular case it's better to add C:\Apps* in GetSafePathsToAllow.ps1 instead of adding all sub-folders that contains binaries even if C:\Apps\ doesn't have any binary.
Because for the moment, we need to use Support\Enum-WritableDirs.ps1 to verify if the NonDefaultDir is totally safe.

Many thanks.

netlogon location

Just getting started with using this - thanks for providing a very interesting project.

I see that it has produced a warning for our AD logon scripts as expected for \\DOMAIN\netlogon\*, but I'm seeing an audit warning for trying to exec a login script from a particular AD server. Something like \\SERVER\NETLOGON\USER.BAT with SERVER being a short (non-FQDN) name. Is that a configuration setting somewhere? The scriptPath setting in ldap is simply USER.bat.

Request: Intune ready Applocker XML files

Would be nice if AaronLocker could already make the split XML files for Intune (Appx, MSI, EXE, Scripts and DLL)
Anyway thanks for the tool! Really like it.

Regards Menno

Create-Policies script triggers SentinelOne for Malware

Running Create-Policies.ps1 triggers SentinelOne as malicious. Powershell is terminated and Accesschk.exe is quarantined.

Alert Name: Shadow copy Deletion detected
Severity: High
Notable Events and MITRE ATT&K ID's (appears to be in reverse order):
Deletes shadow copy Impact (T1490)
Identified attempt to access a raw volume Discovery (T1082)
User logged on Persistence (T1078) X4
Obfuscated PowerShell command executed from an LNK file was detected Defense Evasion (T1027) X3
An obfuscated PowerShell command was detected Defense Evasion (T1027) X3
Powershell execution policy was changed Execution (T1059.001)
Process started from shortcut file Execution (T1204)
Indirect command was executed Defense Evasion (T1218) X2

VirusTotal API integration

I've found an Excel Macro which can pull VirusTotal malicious data into the aaron Workbook results, but it doesn't accept Hash from the workbook. I believe it's Microsoft Authenticode Hash and not a true SHA256 hash. However, if possible I'd like to check the unsigned files etc for VirusTotal suspicious type etc

I guess my major issue is, how do you check these AppLocker HASH values against Virus Total, otherwise I have to pull the DLL or EXE and upload it manually, which I could do but that runs the risk of spreading a suspicious file.

How do we get signed scripts?

I downloaded the latest master branch, but the scripts in there aren't signed, so I can't use the RemoteSigned execution policy. Is this intended, or is there a right way to get the signed scripts?
I know I can work around this via execution mode unrestricted but obviously that won't work in production. Thanks!

PS C:\aaronlocker\AaronLocker-master\AaronLocker\Support> Get-AuthenticodeSignature .\DownloadAccesschk.ps1

Directory: C:\aaronlocker\AaronLocker-master\AaronLocker\Support

SignerCertificate Status Path


                                      NotSigned                              DownloadAccesschk.ps1

WDAC Events

Will there be an update to the suite of tools to include PS scripts for Get-WDACEvents.ps1 and Save-WEFEvents.ps1 same as there are for AppLocker? as most people will be looking to go the WDAC route with MS recommendations moving forward.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.