Tutobox.fr

Computer Tutorials - System - Network - Security

Bypass AppLocker on Windows: how does it work?

by - Published - Updated

Bypass AppLocker on Windows

AppLocker is a popular feature on Windows, allowing you to block the execution of software according to certain rules. However, it is possible to bypass AppLocker on Windows, with a few simple steps.

Note AppLocker is a feature supported on Windows Enterprise and Education editions, including Windows 10 and Windows Vista. Windows 11. It also runs on Windows Server and can be useful on an RDS server.

When you set up an AppLocker policy, it's often for the following reasons authorize only the execution of software located in "C:\Windows", "C:\Program Files" and "C:\ Program Files (x86)".. This is the default setting. With this configuration, the user cannot run a portable application located on a USB key or install an application in his user profile, so only applications installed (and approved) by the administrator can be used.

By editing a new GPO, you can define the AppLocker strategy of your choice by defining rules.

AppLocker GPO

You can see the default rules:

Now, let's see how to bypass AppLocker, assuming we apply these rules to a machine...

1. AppLocker and the C:\Windows\Temp directory

With the current strategy, you can run applications located in "C:\Windows", "C:\Program Files" and "C:\ Program Files (x86)".So if I try to run a portable application from the "Desktop", logged in as a standard user, AppLocker will block me!

To bypass AppLocker and run the software, you need to look at the " C:\Windows\Temp "on the machine! However, this directory has specific rights and if I try to access it with the browser, I'm blocked. On the command line, with Command Prompt or PowerShell: ditto.

However, AppLocker can be circumvented via the command line. It turns out that you're allowed to copy files into "C:\Windows\Temp". We can therefore copy the executable into this directory:

copy "C:\Users\Tutobox\desktop\logiciel.exe" "C:\Windows\Temp\"

The above command will copy the executable "C:\Users\Tutobox\desktop\logiciel.exe" into this famous directory. You'll see that it works! From here, you can also run :

C:\Windows\Temp\logiciel.exe

Your software will run, because the default AppLocker policy does not restrict this directory! What may block it is the UAC if the application in question requires administrator rights. Otherwise, you've successfully bypassed AppLocker!

2. Conclusion

AppLocker remains a very interesting solution, but you need to go further than the default rules, and also restrict access to Windows consoles (PowerShell / Command Prompt) to avoid unpleasant surprises. There are other methods, but this is just an example of how AppLocker needs to be finely tuned.

Resources :

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *