Application Allow listing with AppLocker

September 19, 2023 0 Comments

Application Allow Listing, also known as Application Whitelisting, is a cybersecurity strategy and technique designed to enhance the security of a computer or network by specifying which applications or executable files are permitted to run or execute. In contrast to traditional security approaches that focus on blocking known malicious software (blacklisting), application allow listing takes a more proactive and restrictive approach by only allowing authorized and trusted applications to run

In this Antisyphon “Intro to Security” class, I am going to set up a simple backdoor and have it connect back to an Ubuntu system and see what happens when AppLocker is not running on a windows system. I will then run AppLocker and see the difference.

First, l am going to disable Defender by running the following from an Administrator PowerShell prompt:

The red errors means that Defender is not running on my system anymore.

On the Linux system, I am going to run the “ifconfig” command to get my IP address:

I can take note of the IP address of the ethernet adapter : 172.18.127.59

Using this IP adress, i can now use a program called “msfvenom” to create metasploit viruses (here the malware is saved into a temp file called “TrustMe.exe”) , start a backdoor and backdoor listener. The goal of this lab is not to hack into computer though. I am creating a malware, manually moving it over and execute it and then I am going to use AppLocker to prevent this malware from executing. Next, I copied the TrustMe.exe file to the tools directory in my windows system.

Then Iopen a new unbuntu box and run metasploit. I use exploit/multi/handler so that I can handle and receive connections for multiple different operating systems. When I set the payload I tell Metasploit that the connection that’s coming in is going to be a meterpreter Reverse Tcp connection on this system. It’s going to allow that to catch that meterpreter session coming in to this computer system. I am going to set the L host to be that of my Linux IP address. I type exploit in and not a thing is going to happen. It’s sitting there and waiting for that connection to come through. That connection has not occurred yet.

In order for that connection to come through, I need to go to my windows system, navigate to the tools Directory, where I copied the malware I just created and then executed my TrustMe.exe file.

in a windows command prompt, I am going to run the following commands in order to run the TrustMe.exe file:

this launched a metasploit session on the Ubuntu box. I now have a meterpreter session. What does that mean? That means my windows system is hacked. I now have malware sitting on my windows computer system so I could run commands like “ls”, and I can see all the files that are in this particular directory. I could also download files off of my victim’s computer system or a run a keylogger etc…

So how do I shut this down? I am now going to use AppLocker in order to prevent this event from happening.

In order to be able to configure AppLocker, I need to be able to access the Local Security Policy on my Windows system.

To configure AppLocker, I need to go to Security Settings > Application Control Policies and then AppLocker.

I can now add rules

There are 0 Rules enforced for all policies. I will add in the default rules. It is better to pick the defaults rules because there are far less likely to brick a system. To do this, I have to select each of the above Rule groups (Executable, Windows Installer, Script and Packaged) and for each one, right click in the area that says “There are no items to show in this view.” and then select “Create Default Rules”:

This will generate a subset of rules for each rules. By default, the rules are really simple. Everyone can execute from the program Files Directory and everyone can execute from the Windows directory. Administrators can do whatever they want.

Next, I need to enforce these rules that were just created. To do this I need to select AppLocker on the far left pane. Then, I will need to select Configure rule enforcement. This will open a pop-up. On this pop-up I will need to check Configured for each set of rules

Now, I need to start the Application Identity (type “services” in the search bar) service then double-click “Application Identity.” The application identity service is the service that will allow windows to look at the applications, where the applications are actually executing from and the attributes of those applications (like the digital certificate, the publisher, the path etc…) all of those things for every single application that is running on my computer system

I need to press the Start button in the dialog box that just opened. This will start the service.

Next, I need to open a command prompt and run gpupdate to force the policy change

Next, I will log out of my account and log back in as allowlist.

I can go in Windows Explorer and try and run the TrustMe.exe file:

I should get an error whenever I try to execute anything that’s not in the program files or that’s not in the windows or the program files directory.

Leave a Reply

Your email address will not be published. Required fields are marked *